EE hurries to patch security risk that could leak customer details to hackers

EE has moved to fix a security flaw in its broadband routers that potentially allows sensitive customer data including ISP user credentials to be easily accessed and opens EE subscribers up to abuse.

Related: EE CEO doubts Vodafone, O2 and Three can keep up

The problem, first discovered by technology blogger Scott Helme, affects customers that have the Brightbox 1 or 2 router and an automatic upgrade will be sent out by the end of the month to fix a security threat that EE describes as “moderate.”

"We treat all security matters seriously, and while no personal data will be compromised by the device itself, we would like to reassure customers that we are working on a service update which we plan to issue shortly, and which will remotely and automatically update customers' Brightboxes with enhanced security protection,” EE said in a statement to the BBC.

The error, according to Helme, can allow sensitive customer data, which includes the account holder’s password, to be accessed remotely if a hacker gets hold of a customer’s Wi-Fi password. This in turn could let anyone ring EE’s customer hotline, easily bypass account security and let the perpetrator "go as far as cancelling someone else's broadband package altogether."

UPDATE (21/01/14) - EE wishes to issue the following statement regarding the vulnerability discovered: "To cancel an account a caller must verify their identity to one of our customer service agents. An email or username, which is the only information a third party could access, is not accepted as an account identifier."

Helme added that the cgi_status.js contents “actually outputs almost every single piece of sensitive information stored on your router,” some of which was too sensitive to be revealed in the blog post.

EE disclosed to the BBC on Friday that it had already changed its measures so that it was no longer possible to do this and had in the process briefed staff in its call centres on the changes to its procedures.

So far EE hasn’t received any complaints about the problem and added that customers should never disclose Wi-Fi passwords to anyone other than those that they trust with the information.

"As is the case for all home broadband customers, regardless of their provider, it is recommended they only give network access to people they trust. Customers should also be suspicious of any unsolicited emails and web pages, and keep their security software up to date,” an EE spokesperson added.

Related: Vodafone and BSkyB in secret talks targeting BT broadband expansion

Any customer that has signed up for an EE broadband package since early 2012 is affected by the problem, in addition to earlier customers that have upgraded routers, and BBC estimates put the number affected at around 350,000 customers.