Almost 19,500 Orange Modems Leaking WiFi Credentials

This is becoming a real headache for customers of Orange Livebox ADSL modem in France and Spain during the Christmas season; almost 19,500 modems have been discovered leaking WiFi credentials.

This discovery has been made by a security researcher during the last weekend. ZDNet reports, “Over the weekend, a security researcher has discovered that nearly 19,500 Orange Livebox ADSL modems are leaking WiFi credentials.”

The report adds, “Troy Mursch, co-founder of Bad Packets LLC, says his company’s honeypots have detected at least one threat actor scanning heavily for Orange modems. Scans started Friday, December 21, Mursch said.”

Reports say that the hackers who are behind the attack are exploiting the vulnerability CVE-2018-20377 that was first described in 2012 and which affects Orange Livebox devices. The ZDNet report explains, “The attacker is exploiting a vulnerability affecting Orange LiveBox devices (CVE-2018-20377) that was first described in 2012. The vulnerability allows a remote attacker to obtain the WiFi password and network ID (SSID) for the modem’s internal WiFi network just by accessing the modem’s get_getnetworkconf.cgi.”

A serious issue

This is a rather serious kind of security issue; the flaw is dangerous. Security experts point out that hackers can use the details to execute on-location proximity hacks.

Security reporter Catalin Cimpanu, who has authored the ZDNet report, explains, “Services like WiGLE allow an attacker to get the exact geographical coordinates of a WiFi network based only on its SSID. Since the Orange modem also leaks the WiFi password, an attacker can travel to a suspected high-value target, such as a company or expensive home, and use the password to gain access to a victim’s network and launch attacks on other nearby devices.”

As an example, he explains how a hacker can connect to a home’s network using the WiFi password, then look for smart house alarms and use vulnerabilities in those devices to disable the security system in the house. Similarly, hackers can exploit the vulnerability in an Orange modem located on an enterprise network and even steal proprietary technology from the company’s internal network.

Another grave issue with the flaw is that attackers can exploit it to build online botnets.

In a security advisory published by his company, Troy Mursch states, “Many of the devices found to be leaking their WiFi password use the same password to administer the device (password reuse) or have not configured any custom password – so the factory default “admin/admin” credentials are still applied.”

Mursch adds, “This allows allow any remote user to easily access the device and maliciously modify the device settings or firmware. In addition, they can obtain the phone number tied to the modem and conduct other serious exploits detailed in this Github repository.”

Troy Mursch concludes the security advisory by saying that the findings have been shared directly with Orange. He writes, “Due to the sensitive nature of this flaw, the IP addresses of affected Orange Livebox ADSL modems will not be published publicly, however is freely available for law enforcement and CERT teams to review. We’ve shared our findings directly with Orange Espana, Orange-CERT, and CCN-CERT for further investigation and remediation.”

He has updated the advisory by stating that Orange-CERT has acknowledged the report and that further investigations are on.