Hackers are exploiting a flaw (CVE-2018-20377) in Orange Livebox ASDL modems that allows them to obtain the SSID and the Wi-Fi password of the devices in plaintext. Once access is gained to a vulnerable modem, attackers could update the firmware and change device settings. Exploiting the flaw is as simple as sending a GET request.
The flaw was identified by Troy Mursch at Bad Packets, who noticed the firm’s honeypots were being scanned with GET requests in the run up to Christmas. The scans were part of targeted attacks on Orange LiveBox ASDL modems, which are used by Orange Espana to provide a consumer Internet service.
Identifying the devices is a quick and simple process. A search can be performed on the search engine Shodan. A quick search by Mursch showed there are currently 19,490 of the vulnerable modems in use. A further 2,018 modems were not leaking data but were exposed to the Internet.
Once identified, an attacker only needs to send a GET request to “/get_getnetworkconf.cgi to obtain plaintext SSIDs and WiFi passwords. An attacker can also view the phone number of the customer and the MAC addresses and names of all connected clients. Mursch also found that password reuse was rife, and many devices had not set a custom password, instead they still used the default admin/admin credentials.
The attack identified by Mursch appears to come from within Spain from a Telefonica Spain customer. It is currently unclear why attempts are being made to access the modems’ Wi-Fi credentials.
Mursch has reported the flaw to CCN-CERT, Orange Espana, and Orange-CERT and the vulnerability is currently being investigated. The flaw is present in Orange Livebox Arcadyan ARV7519 modems running firmware versions 00.96.00.96.613, 00.96.00.96.609ES, 00.96.321S and 00.96.217.