Everything Everywhere has released patches for a pair of vulnerabilities discovered by a UK researcher, but have yet to fix a risky cross-site request forgery flaw that could result in traffic sent from the home and small business router being redirected to a malicious site.
Scott Helme, an engineer in the UK, said he has since found more serious vulnerabilities and disclosed them to the popular networking gear manufacturer.
“I’ve yet to publish details as EE have only been aware for around a week,” Helme told Threatpost. Helme informed EE of his original findings in November and went public with them after EE promised patches in December but had failed to deliver.
Helme published details of a number of serious security issues in the routers; EE has 700,000 customers in the UK. The vulnerabilities could make it trivial to steal not only device credentials, but a user’s ISP login data. The BrightBox router also leaks sensitive device and user data to other clients on the network, including WPA and WEP keys, SSID lists and keys, the MD5 hash of device admin credentials and the user’s ISP log-in information.
Helme discovered the vulnerabilities after monitoring the traffic coming and going from his home device. Starting with a lack of TLS encryption on the log-in page for the router, things only got worse as Helme dug deeper. Using a debugging program, he found a CGI JavaScript file that contained his credentials in clear text along with a number of other configuration variables. The risk is compounded because, he said, the device leaks information to any client on the network allowing anyone to bypass restrictions in place on the Wi-Fi network.
“The device now protects the CGI folder and doesn’t leak credentials,” Helme said. “The risk remaining is the CSRF which means an attacker could potentially change the DNS servers for example and then intercept all of your internet traffic.”
EE is rolling out firmware updates that patch the credential vulnerabilities to customers. Helme said his device was patched over his broadband line, but the company would not send him the patch file. He said EE told him the deployment should be done by the end of February.
“Two of the three were patched it seems due to time constraints. They released what they had and are working on the CSRF,” Helme said. “This hasn’t been confirmed, it’s just what I’ve gathered from their emails.”
Helme told Threatpost in January there were no anti-cross site request forgery protections in place on the router. He was able to exploit that situation and conduct a replay attack to control the device and gain admin access. He also found a way to bypass the protections in place guarding remote management capabilities.
“With a little CSRF, I can enable remote management on your router and steal all of your sensitive data like WPA keys, ISP credentials and the md5 hash of your admin password over the Internet. Once I’ve cracked the hash I can login and do just about anything I like with your device or not bother with any of that and just call EE to cancel your internet connection,” Helme said.