19,000 Orange Livebox ADSL modems found leaking WiFi passwords

Researchers have discovered a flaw in a number of modems sold by Orange that allow remote unauthenticated users to obtain the device’s SSID and WiFi password.

on Friday, December 21, Bad Packets’ honeypots observed “interesting” traffic coming from Orange Livebox ADSL modems, according to a post by one of the company’s co-founders, Troy Mursch.

Of the 30,063 IPv4 hosts found, the firm’s scans revealed 19,490 devices were leaking their WiFi credentials (SSID/password) in plaintext. An additional 2,018 were not leaking any information, but still exposed to the internet, and 8,391 did not respond to the scans.

A good chunk of the hardware found to be leaking passwords use the same credentials to administer the device in what researchers call “password reuse,” or have not configured any custom password, meaning the factory defaults still apply.

“This allows allow any remote user to easily access the device and maliciously modify the device settings or firmware,” Mursch said.

Furthermore, bad actors exploiting this flaw can obtain the phone number tied to the modem and conduct other nefarious business, as detailed in a Github repo.

Most of the affected devices were found to be on the network of Orange Espana (AS12479). The researchers refrained to make the technical details public, due to the sensitive nature of the flaw. However, they did share the technical side of their findings, including the IP addresses of the affected modems, with Orange and law enforcement for investigation and remediation.