Over 19,000 Orange Livebox ADSL modems are leaking their WiFi credentials

By Troy Mursch

On Friday, December 21, 2018, our honeypots observed an interesting scan consisting of a GET request for /get_getnetworkconf.cgi. Upon further investigation, we found this traffic was targeting Orange Livebox ADSL modems. A flaw exists in these modems that allow remote unauthenticated users to obtain the device’s SSID and WiFi password.

curl request to an affected Orange Livebox ADSL modem
A simple GET request to “/get_getnetworkconf.cgi” will reveal the Orange Livebox modem’s WiFi credentials in plaintext.

To assess the amount of devices vulnerable to this flaw, we obtained a list of Orange Livebox modems from Shodan.

Of the 30,063 IPv4 hosts found, our scans revealed:

  • 19,490 leaking their WiFi credentials (SSID/password) in plaintext
  • 2,018 not leaking any information, but still exposed to the internet
  • 8,391 not responding to our scans

Many of the devices found to be leaking their WiFi password use the same password to administer the device (password reuse) or have not configured any custom password – so the factory default “admin/admin” credentials are still applied.

Example Livebox modem status page
Poorly secured Livebox modems enable remote users to view the customer’s phone number, the name/MAC address of all connected clients, and more.

This allows allow any remote user to easily access the device and maliciously modify the device settings or firmware. In addition, they can obtain the phone number tied to the modem and conduct other serious exploits detailed in this Github repository.

Unsurprisingly, the vast majority of affected devices were found to be on the network of Orange Espana (AS12479).

Total affected Livebox modems

Initial scan source

The initial scan for Livebox ADSL modems was from detected 81.38.86.204

The initial scan detected by our honeypots came from 81.38.86.204 which is an IP address associated to a Telefonica Spain customer. While we can only guess what the motive was behind these scans, it’s interesting to find the source is physically closer to the affected Livebox ADSL modems than say a threat actor in another country. This could allow them to connect to the WiFi network (SSID) if they were near one of the modems indexed by their scans.

Closing remarks

Due to the sensitive nature of this flaw, the IP addresses of affected Orange Livebox ADSL modems will not be published publicly, however is freely available for law enforcement and CERT teams to review. We’ve shared our findings directly with Orange Espana, Orange-CERT, and CCN-CERT for further investigation and remediation.