Updated A Wi-Fi router flogged by British mobile network EE has a hidden administration account with a hardcoded username and password – and is accessible via SSH.
This root-level account, present in EE's 4GEE HH70 gateways, can be accessed by anyone on the local network, such as a malicious user or malware on a Wi-Fi-connected PC.
Once logged in, using the common username and password pair 'root' and 'oelinux123', the user or malware can mess around with settings, hijack DNS lookups, install spyware, and do anything else they like as root on the OpenWRT Linux-based box. The credentials can be found by simply grep'ing the firmware's core_app binary file.
EE unveils shoebox-sized router to boost Brit bumpkin broadbandREAD MORE
Just this month, Blighty's surveillance nerve-center GCHQ urged manufacturers to not bake such default passwords into their gear, because it's an easy target for miscreants poking around in people's networks. Unlucky home gateways with fixed logins can be roped into botnets – armies of compromised gadgets – and ordered to attack other systems, redirect browsers to malicious websites, or mine crypto-coins.
A spokesperson for EE acknowledged to The Register that the devices did ship with the builtin secret login, adding: "It's important to note that for this vulnerability to be exploited, you need to have local access. So the risk of this being exploited is low."
The 4GEE home gateway connects to EE's high-speed mobile phone network, and routes devices on its Wi-Fi network to the internet via the cellular connection. It's handy for people who live out in the sticks with no decent wired 'net connectivity.
The hardcoded login details were discovered and reported to EE by Reg reader James Hemmings in late April this year, giving the network operator 90 days to issue a firmware patch to kill off the hardcoded root login. He and the telco exchanged emails about the vulnerability, then everything went quiet at the end of July, later with no sign of an update coming.
Fast forward to October, and after Hemmings got in touch with us about the flaw, and we got in touch with EE, suddenly the operator's engineers were in touch again with him via email. Curiously, they asked him to provide more details about the security hole, which seems a bit odd given he first pinged them about it in April. It's almost as if the bug report was forgotten about over summer.
During this month, EE has been stalling for time by providing various reasons for the holdup, and was unable to confirm whether or not a firmware update has been pushed out to subscribers. A patch was developed, we're told, but it is unclear whether or not this was ever issued. There were, we understand, various complications with testing it prior to deployment.
Our last email to the biz, dated October 24, was ignored. Hemmings was told on October 23 the fix would be deployed on Thursday, October 25, this week.
On Wednesday, October 24, well after the 90-day deadline, he went public with his findings, so now everyone knows, anyway.
Hemmings reckons devices were still vulnerable this week. "The changing stories and lack of providing a proper ETA is a bit annoying," he told El Reg. "It's been changing over the past few weeks. I am not waiting any further – this is six months old, and over the 90-day disclosure deadline."
If we do hear back from EE, we'll let you know. In the meantime, keep an eye out for any software updates for your gateways. ®
Updated to add
After this story was published, a spokesperson for EE has been in touch to say a security update has been deployed to subscribers. Hemmings confirmed to El Reg that the fix is being rolled out, and it basically disables SSH login.
You must check for software updates on your router, and install them to get the fix.
"We can confirm that the issue has now been resolved and would like to thank the researcher for bringing this to our attention," an EE spokesperson told us on Friday afternoon, UK time.
"The risk of this issue being exploited was extremely low, due to a number of factors: The attacker would need physical access to the Wi-Fi modem, or the attacker would need to be connected to local network, or the attacker would need unlocked access to the laptop or PC.
"We have no reason to believe that any customers were affected by this issue. We take all matters of security extremely seriously, and advise customers to update their security settings on a regular basis."