Hackers are abusing a fault (CVE-2018-20377) in Orange Livebox ASDL modems that lets them get the SSID and the Wi-Fi password of the appliances in plaintext. As soon as access is gained to a weak modem, attackers could update the firmware and alter device settings. Abusing the fault is as easy as sending a GET request.
The fault was recognized by Troy Mursch at Bad Packets, who noted the company’s honeypots were being scanned with GET requests in the run-up to Christmas. The images were part of targeted attacks on Orange LiveBox ASDL modems, which are utilized by Orange Espana to provide a consumer Internet facility.
Recognizing the appliances is a swift and easy procedure. A search can be carried out on the search engine Shodan. A rapid search by Mursch demonstrated there are presently 19,490 of the weak modems in use. Additional 2,018 modems were not leaking data but were exposed to the Internet.
As soon as identified, an attacker only requires to send a GET request to “/get_getnetworkconf.cgi to get plaintext SSIDs and WiFi passwords. An attacker can also see the phone number of the client and the MAC addresses and names of all related clients. Mursch also found that password reuse was widespread, and many appliances had not set a custom password, instead, they used the default admin/admin identifications.
The attack recognized by Mursch seems to come from within Spain from a Telefonica Spain customer. It is presently unclear why attempts are being made to access the modems’ Wi-Fi identifications.
Mursch has reported the fault to CCN-CERT, Orange Espana, and Orange-CERT and the weakness is presently being probed. The fault is present in Orange Livebox Arcadyan ARV7519 modems running firmware versions 00.96.00.96.613, 00.96.00.96.609ES, 00.96.321S and 00.96.217.