Troy Mursch, co-founder of Bad Packets LLC, says his company's honeypots have detected at least one threat actor scanning heavily for Orange modems. Scans started Friday, December 21, Mursch said.
The attacker is exploiting a vulnerability affecting Orange LiveBox devices (CVE-2018-20377) that was first described in 2012. The vulnerability allows a remote attacker to obtain the WiFi password and network ID (SSID) for the modem's internal WiFi network just by accessing the modem's get_getnetworkconf.cgi.
Why this is a very dangerous flaw
This can be dangerous in a variety of ways. First, it's dangerous because an attacker can use these details for on-location proximity hacks.
Services like WiGLE allow an attacker to get the exact geographical coordinates of a WiFi network based only on its SSID. Since the Orange modem also leaks the WiFi password, an attacker can travel to a suspected high-value target, such as a company or expensive home, and use the password to gain access to a victim's network and launch attacks on other nearby devices.
For example, an attacker can use the WiFi password to connect to a home's network, look for smart home alarms and use vulnerabilities in those devices to disable the home's security system. If the Orange modems are located on enterprise networks, attacks can even result in the theft of proprietary technology from the company's internal network.
Second, this vulnerability can also be used to build online botnets. Mursch points out that many users tend to reuse the same password for both the modem's WiFi network but also for the backend administration panel.
This panel can be used to alter the modem's settings, but also to gain access to sensitive information.
"They can obtain the phone number tied to the modem and conduct other serious exploits detailed in this Github repository," Mursch said today in a security advisory published by his company.
Orange aware of the online scans
Mursch shared a list with ZDNet containing nearly 19,500 Orange LiveBox ADSL modems that he's identified as vulnerable as exposing WiFi passwords and SSIDs.
The vast majority are located on the network of Orange Espana (AS12479), assigned to customers in France and Spain.
Curiously, the attacker carrying out scans for vulnerable devices is also located on the same network. However, it is unclear if he's using his IP address to scan for other modems or one of the vulnerable modems itself.
Mursch says he notified Orange Espana and CERT Spain about his findings. Orange's CERT security team has already acknowledged the issue on Twitter.
This is not the first incident where thousands of devices have been found to leak credentials online. In July, NewSky Security found that over 30,000 Dahua devices had their default admin credentials cached inside an IoT search engine.
The same company also found in December last year that nearly 6,500 serial-to-ethernet devices were leaking Telnet passwords online, and again in May this year, when they found that a Brazilian ISP had left over 5,000 routers connected to the internet without a telnet password.