Leave it to a software test engineer to be thorough about his home networking gear.
Scott Helme, an engineer in the U.K., likes to take a close look at traffic coming and going from new devices installed at his home. Recently, he signed up for fiber service from Everything Everywhere, an ISP in the U.K., which delivered the BrightBox router to his home. BrightBox routers have been installed for more than 700,000 home and small business subscribers in the U.K., and to Helme’s horror, the box is awash with security vulnerabilities.
The flaws are so extreme, he said, that it’s trivial to steal not only device credentials, but a user’s ISP login data. The BrightBox router also leaks sensitive device and user data to other clients on the network, including WPA and WEP keys, SSID lists and keys, the MD5 hash of device admin credentials and the user’s ISP log-in information.
“I would say the leakage of the ISP user credentials is the most severe issue. Coupled with some social engineering or online research an attacker could cancel your broadband account, incurring some serious financial penalties and inconvenience,” said Scott Helme, a software test engineer in the U.K. “That’s closely followed by leaking the md5 hash of the admin password as that hands total control of the device to an attacker. Any of these coupled with [a] CSRF attack to enable remote management could be disastrous, especially to a small business.”
Helme reported the issue to EE several times through customer services and its call center before emailing the ISP’s CEO and CTO, which beckoned an almost immediate response from the company’s head of security operations. EE told Helme it would patch the various problems he uncovered in December, and that date was soon pushed out to mid-January. As of this morning, EE had not patched the firmware, nor had it been in contact with Helme again.
“At the time of publishing, the latest information I have is that the firmware is back in development to resolve further issues found during testing. Updates and information from EE regarding when this might be patched seem to have dried up completely. I don’t even have an estimate of when the patch will now be available and my questions remain unanswered,” Helme wrote on his website, adding that he decided it was in the public’s best interest to disclose the issue.
An EE spokesperson told Threatpost the company is aware of Helme’s research.
“We treat all security matters seriously, and while no personal data will be compromised by the device itself, we would like to reassure customers that we are working on a service update which we plan to issue shortly, and which will remotely and automatically update customers’ Brightboxes with enhanced security protection,” the spokesperson said.
Helme said he found trouble from the get-go, noticing a lack of TLS encryption on the log-in page for the router. Running it through the Fiddler debugging program, he was able to quickly find the cgi file storing his credentials as well as a number of other files exposing configuration variables. Normally this would not be a considerable risk for a user logged in as the admin, but as it turns out the device leaks information to any client on the network and anyone could bypass any restrictions imposed on the WiFi network.
“Once a user has access to your Guest Network for example, they could simply view the WPA key for your Main Network and completely bypass all of your restrictions with a simple copy/paste operation,” Helme wrote. “Not only that, but if someone has brief access to your premises and perhaps connects to your LAN, they can steal a copy of your WiFi password/s. This would allow them remote access to your WiFi from outside the premises without you ever divulging the passwords to anyone. Not so good.”
Helme also looked at the password reset mechanism on the router and learned that the existing password is validated only client-side prior to submission on the network.
“If the original password isn’t verified and someone walked by a computer with a logged in session, they could simply reset the password without knowing the existing password,” Helme said. “If the password is available on the client side it means the router transmitted the current admin password to the client.”
Helme loaded another cgi file that contains a MD5 hash of the current admin password, which he said is crackable using rainbow tables available online. The list of javascript files Helme found, he said, could be appended to leak a wide range of data.
He also discovered there were no anti-cross site request forgery protections in place and that enabled him to pull off a replay attack to control the device and gain admin access. He also found a way to bypass the protections in place guarding remote management capabilities.
“With a little CSRF, I can enable remote management on your router and steal all of your sensitive data like WPA keys, ISP credentials and the md5 hash of your admin password over the Internet. Once I’ve cracked the hash I can login and do just about anything I like with your device or not bother with any of that and just call EE to cancel your internet connection,” Helme said. “To try and restrict access to the remote management configuration page but then still allow the feature to be enabled is a huge oversight, especially considering how much data the device leaks! What’s even worse is that there are bugs and odd behavior taking place over the web interface that isn’t normally present.”
This article was updated at 11 a.m. with comments from EE.