EE BrightBox router hacked

I thought people might be interested in an article I've just written about the EE BrightBox.

It seems the security of the device is pretty lax, allowing an attacker to bypass the admin login, exploit the device remotely and even take control of your EE account by leaking credentials.

You can see the article on my blog here: http://scotthel.me/eebb

Scott.

Hi Scott,

Really like your in depth coverage of the security issues.

I am still on ADSL 2+ so I am using a Buffalo wbmr-hp-g300h with dd-wrt and find it is excellent.

I also liked your article on WiFi security.

The answer to your question about the blooper on the ico web page on WiFi security is

A Service Set Identifier (SSID) is a unique ID used for naming wireless networks

SSID is not unique.

Hi Mike,

Thanks for the comments, I'm glad you liked the article.

Good spot on the ICO page, there's also another one!

"You should change the network name from the router�s default. This will make it harder for anyone to identify your browser and guess its default settings."

I'm not even sure where to begin with that...!

Scott.

Two bloopers in one paragraph is very sloppy for them

In your latest blog, http://scotthel.me/eebb2 , you say:

I can no longer retrieve account data from another serial number. It seems odd that the ability to retrieve account data in this fashion was present, but upon receiving an official comment from EE 7 days after disclosure and several chaser emails, the problem is gone. Perhaps a coincidence, perhaps not, at least the issue is no longer present.

It's simple for EE to present a user's ISP creds only to the original user of that BrightBox('s serial #) and to no other user, by checking the phone # of the line making the TR-069 request, as I suggested in my thread about the possibility of user's creds being 'baked' in. Perhaps they are now checking the phone #?

As to EE's statement:

In response to the points you have raised, the ACS system is secured with a unique username and password for every user, so cannot be exploited in the way you describe. The only reason this was not the case for a short time on your router is because we had removed your router from the network, and then reinstated it so you could test the firmware.

What can it mean? Each BrightBox is already associated with a unique username and password for every user and has been for some time. What are they saying has changed?

I don't know, this is why I'm a tad suspicious of what they are saying.

I was able to recover the details for several days after receiving the firmware patch. I can't see why them removing or adding my router from the network would allow me to retrieve other configuration data. I assume they mean that each router has unique credentials for the TR-069 request? If that's the case, why would I ever be able to recover data other than my own? I also don't see how they could manage this. The fact that the website that the router communicates with also changed doesn't support their argument either really...

Also, does this mean when they patch every router over the phone line they will also be able to do the same for several days, or was it just an issue with mine specifically?

Maybe I've misunderstood something but it doesn't seem to quite add up.

Heeding your misgivings about EE pwds, I changed my pwd at the Member's Centre. It auto changed my EE email pwd but not the router's ISP BB login pwd.

I wonder of which of the pwds the phone CSs will ask you to supply characters ?

I've actually been discussing this with someone via email after they noted similar behaviour.

If you change it via the member centre then it changes everything except your router password. If you call EE and ask them to update the password on the router then it updates everything.

The only thing we haven't established yet is the question you raised, if you change it via the member centre, which one do they ask for? If you find out, please let us know. My money is on them expecting characters from the router password.

In reply to a post by ScottHelme:

If you call EE and ask them to update the password on the router then it updates everything.

That's how you used to it in the old days, Freeserve, Wanadoo & prob early Orange. There was no Member's Centre. Hence my believing that all the pwds had to be the same.

Edited by XRaySpeX (Thu 13-Feb-14 11:39:59)