Not so bright Brightbox brings reminder about security
Discussion of security flaws is always a difficult balancing act, as highlighting them is often the only way to get manufacturers or broadband providers to update software and procedures to avoid a big security headache, but drawing attention can also increase the number of people seeking to explore the vulnerability. The EE Brightbox is now set to get a firmware upgrade to fix some of the plain text vulnerabilities that potentially allowed people to bypass the admin password and access the router.
The discussion on our forums started last October, but the recent presentation by one person has highlighted the risks. The Brightbox is not the first consumer broadband hardware to have vulnerabilities exposed and will not be the last.
Beyond the ability for someone to fake their way into broadband hardware, it would not surprise us if there were millions of broadband routers in UK homes that are still running on the default administrator username and password, which means people need only try perhaps 3 or 4 username and password combinations to gain access. The past has also shown that while some routers are supplied with unique wireless encryption keys, these can be guessed as the random allocation algorithm during the manufacturing process is not truly random.
As yet we are not aware of any attempts by scammers to target EE customers and this vulnerability, generally most phishing is an attempt to gain banking details or simply install malware so that a machine can be added to a large botnet.
Comments
Running on default login as fine as long as the router can't be administered from outside the LAN and you trust everyone who has access to the LAN.
It is possible to replace the Bright Box with an SMC as I have done. That has more facilities to alter security. Unfortunately, security is at the bottom of the list of 'things to do' for just about everyone. Then of course, bin Windows and go Ubuntu Linux,.. much less hassle!