loader gif

Bug in Orange modems leaks over 19,500 devices’ Wi-Fi credentials

Bug in Orange modems leaks over 19,500 devices’ Wi-Fi credentials
  • The flaw (CVE-2018-20377) could allow hackers to obtain Wi-Fi passwords and network IDs (SSID) of Orange modems.
  • A vast majority of affected devices found on the networks use Orange Espana (AS12479).

A flaw in Orange Livedox ADSL modem has leaked Wi-Fi credentials of thousands of users. Dubbed CVE-2018-20377, the vulnerability affects nearly 19,500 Orange modems.

Troy Mursch, the co-founder of Bad Packets LLC, said that the issue was detected on the company’s honeypots. Threat actors began scanning for vulnerable Orange modems from December 21.

The vulnerability - used to exploit the Orange modems - was first discovered in 2012. It could allow hackers to obtain Wi-Fi passwords and network IDs (SSID) of modems just by gaining access to modem’s get_getntworkconf.cgi.

Severity of the flaw

The vulnerability, if exploited, is touted to put both company and user data at risk. Services like WiGLE can allow an attacker to get the exact geographical coordinates of a Wi-Fi network based on its SSID number. Once the attackers obtain the SSID number, they can us it to infect a victim’s network and launch attacks on other nearby devices.

The vulnerability could also allow attackers to build IoT botnets. Mursch explains that the reason behind this is that many users tend to use the same password for both the modem’s Wi-Fi network and backend administration panel.

“This allows allow any remote user to easily access the device and maliciously modify the device settings or firmware. In addition, they can obtain the phone number tied to the modem and conduct other serious exploits detailed in this Github repository,” Mursch explained in a blog post.

Infected modem model

A vast majority of affected devices were found on the networks that use Orange Espana (AS12479) and are assigned to customers in France and Spain. The honeypot detected that the attackers were scanning 81.38.86.204 - an IP address associated with a Telefonica Spain customer - to exploit the vulnerability in Orange modems.

Both Orange Espana and CERT Spain have been notified about the issue, which the Orange’s CERT security team has acknowledged.

loader gif