back to article EE BrightBox routers can be hacked 'by simple copy/paste operation'

BrightBox routers supplied by UK telco EE as standard kit to its broadband and fibre customers are riddled with security shortcomings that make the devices hackable, a UK security researcher warns. Scott Helme warns that security vulnerabilities expose WPA encryption keys, passwords and ISP user credentials. Hackers might also …

COMMENTS

This topic is closed for new posts.
  1. ardubbleyu

    Sigh...

    I have one of these. So not only is it a cr@p router, but it's also insecure. Time to move on, methinks... in the mean time, it only gets turned on when in use. Fortunately I am a light user on the domestic front.

  2. John H Woods Silver badge

    Pressure required...

    ... same old story, day in, day out. Is it not possible to sue EE for exposing one to such risks? There's got to be a project here for an enterprising law student, surely?

  3. Anonymous Coward
    FAIL

    "WPA keys, ISP creds, MD5 hashes - all in plain view"

    "We treat all security matters seriously (no personal data will be compromised by the device itself), we would like to reassure customers that we are working on a service update which we plan to issue shortly, and which will remotely and automatically update customers’ Brightboxes with enhanced security protection."

    So.. your WPA key and login details for your broadband don't constitute personal data? It would feel pretty personal to me if someone used it as a stepping stone to owning my home network. This is the kind of crap that demonstrates just the kind of nightmare the 'Internet of things ' will become. If they cut these sorts of corners for routers, who knows what they'll do with domestic appliance firmware.

    1. Black Betty

      Re: "WPA keys, ISP creds, MD5 hashes - all in plain view"

      Nope not personal at all. Held jointly by you and your ISP. Or I'd bet that's how they'd argue it. And not quite in public view. If I'm reading this correctly, someone up to no good needs physical, or at least guest wi-fi access, which put this in the class of trusting your neighbour not to take a soap impression of your keys while you're on the bog.

      And that's as far as it goes. Without special effort on your part, your privacy in the modern world is pretty much entirely dependent on the size of your profile and the amount of interest you attract.

      I just discovered my (not by my choice mind you) ISP stores passwords using reversible encryption. And worse their lost password procedure is to send it to you plaintext in an SMS message, in my case to a phone number I'd just given the tech not two minutes earlier.

      And that my friend is an improvement. In my previous lost password conversation with them, the tech read my password out to me off their screen.

      Better still, up until very recently all email logins were clear text only, and the last to be upgraded to encrypted logins were of course the primary logins for each account. Their argument was that it wasn't an issue because the connection from the modem to their server was secure. I asked what about remotely accessing email from another computer and the response was essentially, they provided what they contracted to provide - A HOME broadband internet connection, and they couldn't be held responsible for what I did with their credentials on a third party's network.

  4. Anonymous Coward
    Anonymous Coward

    Not so Bright then.

    I'll get me coat...

    1. Anonymous Coward
      Anonymous Coward

      Re: Not so Bright then.

      The future was bright, it was Orange.

      But of course now they've merged with T-Mobile..

      1. Dan 55 Silver badge
        Windows

        Re: Not so Bright then.

        It stopped being bright the moment France Telecom bought them out, the first thing they did was clobber a load of tariffs and the second thing was turn their website into Crazy Mike's Crazy Web Portal. Or maybe it was the other way around.

  5. Steve Davies 3 Silver badge
    FAIL

    EE?

    Ah might mean

    Everyone Everytime (has access to my network and data)

    1. Michael H.F. Wilkinson Silver badge

      Re: EE?

      Extremely Embarrassing also fits

      1. Immenseness
        Happy

        Re: EE?

        Or just "EE!" in a broad Yorkshire accent, with a slight raising of the chin.

  6. Nigel 11
    Black Helicopters

    Whose routers ARE secure?

    I suspect that the only router you can trust is your own Linux system. (And that's only a maybe).

    Paranoid mode on. They used to come from China with an NSA-approved backdoor in the flash with the vendor's secretly compelled acquiescence, plus a Chinese government backdoor without such acquiescence. Now, in order to provide plausible deniability, they've degraded the firmware so that they can blame their activities on organised slime, or indeed on any old Tom, Dick or Harrietta with a router.

    It also lets the manufacturers sell "enterprise" routers at 20x the profit margin, which come with the better-engineered backdoors.

    1. Destroy All Monsters Silver badge
      Childcatcher

      Re: Whose routers ARE secure?

      Backdoor codes passing each other, high-fiveing, HOLDING THE DOOR!

    2. Anonymous Coward
      Anonymous Coward

      Re: Whose routers ARE secure?

      Next thing you'll tell us the exploits are actually built into the radio and ethernet chips, meaning they can be exploited anytime, anywhere regardless of the firmware.

      1. Black Betty

        Re: Whose routers ARE secure?

        Ten years and more ago that suggestion was a show stopper, too many discrete components required, too little under-utilised bandwidth to hide in. Today, not so much, the silicon real estate necessary for such a "feature" would represent only a small percentage of a monolithic device managing a dozen communication protocols over hundreds of I/O channels, directly connected to a "pipe" the size of the Mersey Tunnel.

        Fortunately, such attacks on the underlying physical hardware must be done at the front end of the manufacturing process. The blue prints themselves have to be altered, and opportunities for being found out subsequently are myriad all the way through the manufacturing process and even the junk bin. Any lazy college student with electron microscope time on his hands might find it.

        Now, when the next layer of abstraction plus encryption gets offloaded to the I/O chipset all bets are off.

        However, it's all somewhat moot when we know that a spread spectrum digital radio transmitter can be hidden inside a USB connector. We should just thank our lucky stars that RJ-45 connectors are transparent. the size of my mouse dongle tells me there might well be room for a "listening" bug in even that ethernet connector waved about by the talking head last week.

    3. Anonymous Coward
      Anonymous Coward

      Re: Whose routers ARE secure?

      You can only trust you own linux based router, if you've personally downloaded the source code, checked it complies to the checksums, read it all, understood it all and compiled it yourself on your own machine and even then you require the compiler to be trusted.

      That the source code is available to all, does not mean that it is free from errors or intentionally inserted exploits that have gone un-noticed. See the recent 20 odd year old privilege escalation exploit in X.11 and the Debian random number generator problem from last year (IIRC). On top of that you've actually got the NSA contributing to Linux.

      Me? I'm rather less paranoid than that and just download CentOS with a "Meh, it'll probably be fine."

  7. Kurgan

    Telecom Italia had such junk before...

    Telecom Italia, in years 2000-2003, gave their BUSINESS users a router from "Telindus" that exposed its password in plain text to anyone that sent the right "request" to it. Both on LAN and on WAN. So hacking Telecom Italia business users was as simple as sending the right request packet (simple and identical for every router, no MAC address hash involved) to every Telecom Italia public IP address, and you could collect all of the router's passwords in plain text. Then you telnet to the router and you are in.

    I discovered this vulnerability while trying to access a router (locally) for a customer who lost the password. (http://archives.neohapsis.com/archives/bugtraq/2002-06/0028.html)

    When I told Telecom Italia (and then Telindus) about it, they asked me if I was going after a ransom, if I was some sort of criminal. I just wanted to warn them. Anyway, 6 months later, they changed the firmware so that now you needed to apply a XOR to have the password in plain text.

    Double Fail!

    1. hplasm
      Thumb Up

      Re: Telecom Italia had such junk before...

      Telecom Italia- they make BT look good.

    2. Mr Flibble
      FAIL

      Re: Telecom Italia had such junk before...

      ROT13 twice for added security!

    3. Anonymous C0ward
      Coat

      Re: Telecom Italia had such junk before...

      Are they as bad as Powergen Italia?

  8. Callam McMillan

    So secure...

    ... That the ISP can just push random updates to it.

    Stories like these, coupled with the fact that most ISP supplied routers are crap makes me glad I got a proper router.

    1. rhydian

      Re: So secure...

      ISP supplied routers are a spectrum of "not bad for nowt" to "nuclear waste crap".

      For every half decent ISP router (usually a netgear or D-link crippled with crap firmware) there's at least 10 technicolor/huawei/no-name crapboxen that don't even let you view their configuration settings, let alone adjust them.

      I'm currently running a BT HomeHub 3. Now, before anyone whinges it came free with my connection and surprisingly enough has been trouble free for the last 18 months, even dealing with port forwarding etc. The pain in the arse however is that it doesn't let you change the DNS server address on the router, you have to do it manually on each device.

      1. Callam McMillan

        Re: So secure...

        I made use of my little bit of Cisco experience and picked a used 3845 up off eBay for £70. Yes, it's totally overkill, but it does a few bits I can't do with a domestic router.

        1. Mr Plastique

          Re: So secure...

          I use a Cisco ASA 5505 which was *ahem* surplus to company requirements.

  9. Irongut

    EE basically say security is the customer's problem.

    I can help all EE customers improve their security with my simple 4 step plan:

    1. Cancel contract with EE

    2. Sign up with a decent ISP instead of the cheapest you could find

    3. ????

    4. Profit!

    1. Michael Habel

      Or consequently... Ya know buy / use a proper Router that didn't just pop-up at your Door One fine Day.

    2. Anonymous Coward
      Anonymous Coward

      "I can help all EE customers improve their security with my simple 4 step plan:"

      Just one problem. Responsible ISP is an oxymoron.

      1. Mr Flibble
        Happy

        Responsible ISP is an oxymoron

        Now, now, be fair. There are one or two which do a good job…

        1. Anonymous Coward
          Anonymous Coward

          Now, now, be fair. There are one or two which do a good job…

          Name them.

    3. Stretch

      re: a decent ISP

      Let us know if you ever come across one

      1. Mr Flibble
        Thumb Up

        Re: re: a decent ISP

        Let us know if you ever come across one

        Well. I know that A&A are one such.

  10. Anonymous Coward
    Anonymous Coward

    Who makes these crappy units?

    1. Fihart

      who makes Brightbox ?

      http://www.astorianetworks.com/astoria/IMPRESSUM.html

      Neighbour had one of these in a room next to my computer. Brightbox's main claim to fame is strong wireless signal -- and it certainly interfered with our network.

      At least now, if a similar issue arises with one, I might be able to hack into it and change password then turn off wireless.

  11. PipV

    What would Kevin say in the adverts

    'Its a no brainer!'

  12. Destroy All Monsters Silver badge
    Alert

    Sure was a firmware update to 7.62

    I hope someone picked up the not exactly biocompatible pieces from woodland, innit?

  13. John 98

    Due diligence?

    One is always wary of more regulation, but - since the average punter can't help themselves much on this - maybe ISPs should have a legal obligation to ensure their kit is secure. At the risk of annoying UKIP, this might be a job for Steely Neelly.

    Oh - and the shotgun video was a brave move. I don't suppose NSA will get stressed, but will GCHQ report him to about 96 different agencies?

    1. Anonymous Dutch Coward

      Re: Due diligence?

      Don't know much about UK law but wouldn't this be covered under existing consumer protection laws - i.e. that the consumer has a reasonable expectation of security when buying the service which is then totally flouted by the provider?

    2. keithpeter Silver badge
      Windows

      Re: Due diligence?

      "Oh - and the shotgun video was a brave move. I don't suppose NSA will get stressed, but will GCHQ report him to about 96 different agencies?"

      I think the shotgun stunt may turn off ordinary people, and its those we have to get asking/phoning &c to move large companies. The shotgun thing lets mainstream media bracket the guy off as some nutjob.

      The tramp: I recently got a haircut because I was beginning to look too like the icon. If I stick a suit on and carry my sandwiches in a briefcase, I could pass for a 'normal concerned citizen' now. Just about.

  14. Badvok

    "Access to the ISP user credentials might be abused to hijack a target's broadband account."

    So EE don't use any form of physical authentication to ensure you're connecting from the right line?

    I thought that was why all BT HomeHubs used exactly the same username and password - BT don't care, they authenticate you physically. I'm not sure I'd trust any ISP that didn't.

  15. Gene Cash Silver badge

    What? You whiney lot get routers??

    Here in the magnificent USA, I get a Motorola SURFboard cable modem with one ethernet port on the back, and no firewall or other security whatsoever. It's an upgrade over the previous POS in that it has a web page with some troubleshooting info on it. I have to go buy my own router if I want one.

    I have to bang rocks together for packets... School is uphill both ways... yadda, yadda, yadda.

    1. Eradicate all BB entrants

      Re: What? You whiney lot get routers??

      We may get a free router (or 2) but for that we have to suffer 40Mb Unlimited Fibre for less than £20 a month. It's so stone age that when I click play on Netflix it buffers for over 1 whole second before playing.

      1. Callam McMillan

        Re: What? You whiney lot get routers??

        40Mb, Awwww I feel sorry for you now, we get 72/19 in our house, for less than £30 / $50USD per month. So I think I can put up with not using the crap router my ISP sent me!

        I joke, but when you look at the state of internet access in America, we really cant complain too loudly!

  16. ElNumbre
    Stop

    Stards

    I was quite interested in Sky's broadband as a secondary service to my main AAISP, but was put off because it seems they don't like you using your own router, and don't support bridged mode on their router. There are apparently ways around it, but it looked like a proper pain in the rear, so have given it a miss. I currently use a TP-Link router running OpenWRT bridging to a pfSense firewall. I trust community code more than a narrow team of developers with their employers interests at heart.

  17. Franklin

    Welcome to embedded systems programming...

    ...where security is something we've heard of.

  18. Zot

    I thought he said...

    ..."These links will work assuming you are on the same network as a BrightBox router and that it has the standard IP of 192.168.1.1, otherwise they will likely result in an error."

    https://scotthelme.co.uk/ee-brightbox-router-hacked/

  19. Ambivalous Crowboard

    +1 for $device shooting video

    How about at the end of every "$device is insecure" article, we have a video of said piece of equipment being neutralised by a shotgun?

  20. John Smith 19 Gold badge
    FAIL

    That file had a .js suffix.

    Oh look I think someone's been doing embedded systems programming in Javascript.

    I'm guessing some fresh clueless graduate at some coding sweatshop in a 3rd s**thole.

    What could possibly go wrong with that plan?

    The only way this starts to get fixed is if people start switching ISP's as a result.

    1. Anonymous Coward
      Anonymous Coward

      Re: That file had a .js suffix.

      The only way this starts to get fixed is if people start switching ISP's as a result.

      And then we learn ALL the ISPs are just as vulnerable in different ways, leading to a sadistic choice: bend over or stay off the Internet, which is becoming less of an option by the day?

      1. John Smith 19 Gold badge
        Unhappy

        Re: That file had a .js suffix.

        "And then we learn ALL the ISPs are just as vulnerable in different ways, leading to a sadistic choice: bend over or stay off the Internet, which is becoming less of an option by the day?"

        No.

        That's round one.

        Let's face it the days of having the same ISP for life are over.

        So if people start making the point that their privacy matters and that good privacy protecting ISP's are rewarded (by new customers).

        1. Anonymous Coward
          Anonymous Coward

          Re: That file had a .js suffix.

          "Let's face it the days of having the same ISP for life are over.

          So if people start making the point that their privacy matters and that good privacy protecting ISP's are rewarded (by new customers)."

          Welcome to REALITY. Incumbents are ALWAYS against upstarts AND can use their experience to push off upstarts. ESPCIALLY in an industry like telecommunications where there is a naturally high barrier of entry: you can't run an ISP without a telecommunications infrastructure.

          Ask this: Why are there so many ISP monopolies in place? Because the ISPs were unwilling to put down for the infrastructure without a captive market with which to recoup the investment. For many communities, it was an "evil vs. eviler" choice: a market of ONE or a market of NONE.

This topic is closed for new posts.

Other stories you might like