19K Orange Livebox Modems Open to Attack

Author: Tara Seals
minute read

A simple flaw allows attackers to derive WiFi credentials with little effort.

A flaw in Orange Livebox ADSL modems allows remote, unauthenticated users to obtain the device’s SSID and WiFi password with a simple GET request.

Troy Mursch at Bad Packets said that the company’s honeypots observed a GET request scan right before Christmas targeting the modems, which are used to provide home internet service by Orange Espana in Spain. Further investigation showed that the flaw (CVE-2018-20377) allows a GET request to “/get_getnetworkconf.cgi” to return the Orange Livebox modem’s WiFi credentials in plaintext.

Mursch referred the issue to Orange Espana, Orange-CERT and CCN-CERT for further investigation and remediation – Orange-CERT said that it was looking into it.

In a query to the Shodan internet of things search engine, 19,490 Orange Livebox modems were found to be leaking their WiFi credentials in plaintext. Worse, many of these are using the same password to administer the device (password reuse); and, more than a handful are using the factory default passwords, according to Bad Packets.

Once an attacker has the WiFi information, he or she can easily access the device and maliciously modify the device settings or firmware.

“Poorly secured Livebox modems enable remote users to view the customer’s phone number, the name/MAC address of all connected clients … and conduct other serious exploits detailed in this Github repository,” Mursch wrote in a post this week.

Further, the initial scan detected by the Bad Packets honeypots came from an IP address belonging to a Telefonica Spain customer, indicating that particular presumed attacker would be local.

“While we can only guess what the motive was behind these scans, it’s interesting to find the source is physically closer to the affected Livebox ADSL modems than say a threat actor in another country,” Mursch said. “This could allow them to connect to the WiFi network (SSID) if they were near one of the modems indexed by their scans.”

Orange Livebox Arcadyan ARV7519 modem firmware versions 00.96.00.96.613, 00.96.00.96.609ES, 00.96.321S and 00.96.217 are affected by the flaw; 00.96.00.96.613E is immune, according to Bad Packets.

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.