Security flaw in EE Smart Hub router fixed after Which? report
EE's Smart Hub router has been patched to fix a potentially dangerous vulnerability, following Which? security testing that uncovered the issue.
One of the country's biggest broadband providers, EE, has provided its Smart Hub router to new and upgrading customers of its fibre broadband plans.
After testing revealed a problem that could leave owners vulnerable to attacks on their local network, we informed EE and it worked on a patch for every Smart Hub router in people's homes.
This problem was fixed and verified, but if you're an EE customer, read on to find out how to check your router is updated.
Tech tips you can trust – get our free Tech newsletter for advice, news, deals and stuff the manuals don’t tell you.
EE router vulnerable to attack
We perform an exhaustive search of known bugs and vulnerabilities on every router that we review. Upon testing this router, we found an old exploit that could let somebody who has access to your local network run malicious code on your router.
The technical problem we found was that the remote SMB service was vulnerable to a heap overflow attack, which allowed for an attacker to execute code on the router to infect it with malware, take control of it or else prevent it from working.
Our own risk assessment found that this vulnerability was difficult to exploit and it required an attacker to already have access to your local WiFi network. But the damage that could be caused by this was potentially extensive.
We also knew that motivated criminals would be able to discover this vulnerability using commercial scanning software.
We notified EE and it accepted our findings and began to work on a patch. This patch was delivered to EE Smart Hub routers before the start of February, meaning owners are now protected from this issue.
We validated this by retesting the router and we found that the patch worked.
Check our reviews of wi-fi routers, mesh networks and extenders for the best ways to boost wi-fi in the home.
What EE customers need to know
While this patch was deployed to customers automatically, if you have an EE Smart Hub, you can know for certain that you have up-to-date firmware by opening the configuration:
- Type 192.168.1.254 into the address bar of your web browser (this is the default gateway to access the router admin panel).
- Log in with your credentials and click on device settings.
- Look for online update and check for updates. The latest firmware version should be displayed, and it ought to be v0.08.02.12273-EE.
While this vulnerability shouldn't have existed in the first place and was found independently by Which? security research, it is positive to see that it was fixed quickly.
See where EE ranks in our table of the best and worst broadband providers, based on reports from real customers.
EE's response
EE co-operated with us when we disclosed this vulnerability and kept us updated, confirming that the vulnerability had been patched and could only be exploited if someone gained access to the home broadband network, for example by obtaining a wi-fi code or plugging a LAN cable directly into the router.
It said 'We take the security of our products and services very seriously. As is the case for all broadband customers, regardless of their provider, it is recommended they only give network access to people they trust, and they should be suspicious of any unsolicited emails and web pages.'
This issue underlines the importance of functioning security support, so manufacturers can keep their products safe and fix problems when they appear.
Products that network with each other (routers, computer, phones, and all 'smart' products) will develop vulnerabilities in their lifespan, so the bigger problem is when manufacturers stop supporting their products, leaving them totally exposed.
We asked EE for its security support policy for its routers and it told us 'All our routers are monitored for security threats and updated when needed.' It also said that if customers are out of contract, they should speak to EE about the options available, including taking out a new plan to upgrade their connection and receive the latest hub.
Compare broadband deals
Use Which? to search for faster, more reliable broadband services
Switch and save
Why security support matters
We've been campaigning for nearly ten years to improve security standards for networked products. When manufacturers don't update the firmware on their products, your security is compromised. Yet it's still common to find products that have little or no security support for sale.
We know through our product testing that vulnerabilities can be found in consumer goods, so it's a constant battle. Before you buy anything, you should be able to see how long the manufacturer will support it or else you're at risk of a product that's either unsafe to use after a short term or at risk of early obsolescence.
Although it's bad when products have vulnerabilities, consumers will be much safer when these are dealt with proactively such as with the EE Smart Hub.
Our guide to smart device security details support policies for 20 categories of connected tech - from TVs and wireless cameras to washing machines and fitness trackers.
New security law seeks to improve product security for consumers
Fortunately, a new law – the Product Security and Telecommunications Infrastructure (PSTI) Act – is set to improve security standards for consumers. It will mandate:
- Support periods clearly displayed at the point of sale
- A ban on weak default passwords
- An obligation for manufacturers to consider and act on reports by security researchers like Which?
Following an implementation period, manufacturers and retailers of almost all types of smart and internet-connected products need to comply with this law.
Find out more about the new security laws for smart devices and what it means for you.