EE broadband router vulnerable to remote access, will be updated

EE has pledged to update its home broadband routers after a security blogger found it could be hacked.

Nick Hide Managing copy editor
Nick manages CNET's advice copy desk from Springfield, Virginia. He's worked at CNET since 2005.
Expertise Copy editing | Football | Civilization and other old-man games | West Wing trivia
Nick Hide
2 min read

EE has pledged to update its home broadband routers after a security blogger found it could be hacked.

Traffic from the Bright Box and Bright Box 2 routers unwittingly give access to account details, blogger and QA automation specialist Scott Helme discovered. "It discloses the password of the EE account holder so I can call EE and pass account security," he writes, although EE assures me that further verification would be required, with emails and usernames not sufficient ID.

"Looking through further I believe it actually outputs almost every single piece of sensitive information stored on your router," Helme adds. "That includes things like all of your WiFi SSIDs and their WPA2 keys."

"We are aware of Mr Helme's article," an EE spokesperson told me in a statement. "As is the case for all home broadband customers, regardless of their provider, it is recommend they only give network access to people they trust. Customers should also be suspicious of any unsolicited emails and web pages, and keep their security software up to date.

"We treat all security matters seriously, and while no personal data will be compromised by the device itself, we would like to reassure customers that we are working on a service update which we plan to issue shortly, and which will remotely and automatically update customers' Bright Boxes with enhanced security protection."

EE told the BBC the threat to users was "moderate", and that the update would be out by the end of the month.

Formerly branded Orange, EE has around 700,000 broadband subscribers in the UK, according to ISP Review.

As for Mr Helme, he replaced his Bright Box with an Asus router and disposed of EE's machine in pretty spectacular fashion.

Update 21 January: Added clarification on account access procedures.