Thousands of Orange Modems in France and Spain Leaking WiFi Credentials

• Orange modems found to be leaking WiFi credentials over the network, after a thorough scan by Bad Packets.
• Researchers report that most of the company’s modems are affected by an old vulnerability.
• The attacker was located in Spain, searching for Orange modems located there, indicating the intentions.

As discovered and reported by Troy Mursch, the co-founder of Bad Packets LLC, about 19500 Livebox ADSL modems from Orange are leaking WiFi credentials, and attackers are already aware of it. In fact, the security research company was lead to the particular finding after noticing that at least one hacker was scanning for Orange modems on December 21. After further analysis, the researchers realized that the attacker was trying to take advantage of a vulnerability that affected Orange modems back in 2012, so it’s apparently back again now.

The vulnerability allows hackers to obtain the WiFi passwords and network ID of the modem’s internal WiFi network through a simple “GET” request to the “/get_getnetworkconf.cgi”, opening up a whole set of malicious possibilities that are considered by Mursch to be very dangerous for the users.

For example, the SSID data can point the attacker to the exact geographical location of the modem, so a second exploit can follow if the attacker travels to the location and connects to the WiFi network since the password for this is also leaking. After that, the attacker could potentially fiddle with any security systems or alarms that are installed in the place. If these modems are used in enterprise environments, then we could talk about the possibility of serious data theft from the company’s internal network. The problem gets more severe if the user has not changed the default password for the router firmware settings, or if the same password as the WiFi one is used.

From the Bad Packets report

Bad Packets have analyzed a total of 30063 IPv4 hosts, finding leakages of WiFi credentials in 19490 of them, and only 8391 not responding to the scans. Due to the nature of the problem, they did not publish the IP addresses of the affected modems; however, they did report everything to Orange. The latter acknowledged the issue and initiated investigation and remediation planning. Finally, Mursch reports that since this vulnerability can be better exploited from people who are close-by the modems, and considering that most of the affect modems are located in Spain, it is no wonder why the attacker that they detected was also located in Spain, leaving no doubts about the intentions.

If you are an Orange modem owner, worried about the security of your home or company network, check out our guide on how to replace it without spending a fortune.

Would you trust Orange ADSL modems? Let us know of your thoughts in the comments section below. Also, don’t hesitate to pay a visit to our socials on Facebook and Twitter, where you’ll find more news and stories like this one.