A security researcher found that almost 19,500 Orange Livebox ADSL modems leak WiFi credentials during the weekend.
Troy Mursch, co – foundero The scans began on Friday 21 December, said Mursch. The attacker exploits a vulnerability which was first described in 2012 for Orange LiveBox devices (CVE-2018-20377). The vulnerability allows a remote attacker to only access the get getnetworkconf.cgi modem with the WiFi password and network ID (SSID) for the internal WiFi network of the modem.
WHY IS A TRUE DANGEROUS FLAW
In a variety of ways this can be dangerous. First, it is dangerous because an attacker can use this information for hacks in the vicinity of the location. Services such as WiGLE enable an attacker to obtain the exact geographical coordinates of a WiFi network based on its SSID only.
Since the Orange modem leaks the WiFi password, an attacker can travel to a suspected high – value target, such as a company or a costly home, and use the password to access the network of a victim and attack other nearby devices.
An attacker can, for example, use the WiFi password to connect to a home network, search for smart home alarms and use vulnerabilities in those devices to disable the security system. If the Orange modems are on company networks, attacks can even lead to theft of proprietary technology from the internal network of the company.
Secondly, this vulnerability can also be used to create botnets online. Mursch points out that many users tend to reuse the same password for both the WiFi modem network and the backend management panel as well. This panel can be used to change the settings of the modem but also to access sensitive data.
“They can get the phone number linked to the modem and perform other serious exploits detailed in this Github repository,” Mursch said today in his company’s security advisory.
ORANGE AWARE OF THE ONLINE SCANS
Mursch shared a list of nearly 19,500 Orange LiveBox ADSL modems identified as vulnerable to WiFi passwords and SSIDs. The vast majority of them are located in the Orange Espana network (AS12479), which is assigned to clients in France and Spain.
Interestingly, the attacker scanning vulnerable devices is located on the same network too. It is not clear, however, whether he uses his IP address to scan for other modems or for one of the vulnerable modems. Mursch says that he has reported his findings to Orange Espana and CERT Spain. The CERT Security Team of Orange has already recognized the problem on Twitter.
Thanks for the notification. We’re handling your case.
— Orange-CERT-CC (@OrangeCertCC) December 23, 2018
This is not the first incident in which thousands of devices have been found to leak online credentials. In July, NewSky Security found that more than 30 000 Dahua devices had their default IoT search engine admin credentials cached.
In December of last year, the same company also found that almost 6,500 serial-to-ethernet devices were leaking Telnet passwords online, and again in May of this year, when they found that a Brazilian ISP had left more than 5,000 Internet – connected routers without a telnet.