Telecoms firm EE is working on an emergency fix for a security flaw in the routers it issues to customers.
The Bright Box router provided to customers who subscribe to EE's home broadband service leaks access to sensitive customer information, including the password of the EE account holder, according to security researcher Scott Helme.
Helme detailed the flaw in a blog posting earlier this month.
"Being able to grab details like the WPA keys or the hash of my admin passwords was bad enough, but exposing my ISP user credentials represents a huge risk. This is made even worse by the fact it's possible to access all of the data remotely," said Helme in the post.
"Even if the device is only used in the home or small office, this represents a total compromise of the device's security and an attacker could wreak havoc with your account causing huge inconvenience and even financial losses."
An EE spokesman said the company is working on a fix that will address the issues raised by Helme.
"We treat all security matters seriously, and while no personal data will be compromised by the device itself, we would like to reassure customers that we are working on a service update which we plan to issue shortly, and which will remotely and automatically update customers’ Brightboxes with enhanced security protection," he said.