Skip to main content
Forum FAQ's
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

This page is no longer active

close

   

For up-to-date information and comments, search the EE Community or start a new topic.

Bright Box 2 security vulnerabilities highlighted in Which Report & Media

pi-hole
Investigator
Investigator

‎08-05-2021 10:12 AM - edited ‎08-05-2021 10:14 AM

 

From a recent Which report on old ISP routers.

 

  • a network vulnerability with EE's Brightbox 2, which could give a hacker full control of the device

https://www.bbc.co.uk/news/technology-56996717

 

This continues to be highlighted in the national media, EE continues the old line "These updates happen automatically so customers have nothing to worry about."

 

Why can't BT/ EE recall all there old dodgy kit and ensure that all of their customers have up to date secure equipment rather than "the vast majority" as in their response below. 

 

BT, which owns EE, also said "the vast majority of its customers" used its latest modem.

 

As a BT shareholder what I see is a management failure to act, there are plenty of examples on this forum of customers feedback with respect to vulnerabilities in Bright Box 2.

 

Here is one from 2018

 

https://community.ee.co.uk/t5/Broadband-home-phone/BrightBox-Firmware-Vulnerability/m-p/692175#M3621...

0 Helpful
3 REPLIES 3
pi-hole
Investigator
Investigator
In response to James_B

‎08-05-2021 08:54 AM - edited ‎08-05-2021 08:55 AM

On multiple threads you reply to the question about firmware updates "There  is no repository for firmware updates, EE will fire them to your router when necessary" there has been over the years a few stories about vulnerabilities of EE's Brightbox 2 router.

 

The most recent of these has been discussed in a Which report and then re-reported in the media by various technology websites but also the BBC.

 

Tech Radar report...

 "The watchdog investigated 13 old router devices sent out by most of the UK's most popular ISPs, including EE, Sky, TalkTalk, Virgin Media and Vodafone. Nine of the routers were found to have significant security flaws, including using weak of default passwords, a lack of firmware updates, and in one case (the EE Brightbox 2), a local network vulnerability that could give a hacker full control of the device.E

 

One question I have is, In the light of the Which report, should EE be recalling all Brightbox 2 routers and sending out replacement secure routers.

 

At the very least they should be writing to all of there customers and explaining the situation with respect to the network vulnerabilities reported in the national media.

 

https://www.bbc.co.uk/news/technology-56996717

0 Helpful
James_B
EE Community Support Team

‎08-05-2021 10:28 AM

Hi @pi-hole,

 

We take the security of our products and services very seriously. As detailed in the report, this is very low risk vulnerability for the small number of our customers who still use the EE Brightbox 2. As is the case for all home broadband customers, regardless of their provider, it is recommend they only give network access to people they trust, and they should be suspicious of any unsolicited emails and web pages. We would like to reassure EE Brightbox 2 customers that we are working on a service patch which we will be pushing out to affected devices in an upcoming background update.

 

James

pi-hole
Investigator
Investigator
In response to James_B

‎08-05-2021 12:33 PM

James,

 

Thank you for your speedy reply and the update that BT/ EE propose a security service patch. What the customer needs next is an further update to it's customers after the patch has been released and the issue resolved as way of keeping them informed of the situation.

 

The broadband customers of EE should not have to rely on stumbling upon media stories or the services of 'Which' to ensure the security of the services they are paying for.

 

At what point does the internet service provider take responsibility for making 'old equipment' redundant and initiate an equipment renewal cycle on security grounds, should this be at the point of contract renewal ?

 

 

Related Content