The firm’s honeypots first picked up the attack traffic targeting Orange Livebox ADSL modems. After conducting a simple Shodan search, chief research officer, Troy Mursch found 19,490 such devices leaking their Wi-Fi credentials in plain text.
In addition, over 2000 were not leaking information but still classed as exposed to the internet.
“Many of the devices found to be leaking their WiFi password use the same password to administer the device (password reuse) or have not configured any custom password – so the factory default ‘admin/admin’ credentials are still applied,” he explained.
“This allows any remote user to easily access the device and maliciously modify the device settings or firmware. In addition, they can obtain the phone number tied to the modem and conduct other serious exploits detailed in this Github repository.”
Most of the affected devices were located in Spain, and the attack traffic was also linked back to an IP address associated to a Telefonica Spain customer.
“While we can only guess what the motive was behind these scans, it’s interesting to find the source is physically closer to the affected Livebox ADSL modems, than say a threat actor in another country,” Mursch continued. “This could allow them to connect to the WiFi network (SSID) if they were near one of the modems indexed by their scans.”
The flaw in question has been assigned as CVE-2018-20377. At the time of writing Orange had acknowledged the flaw and claimed it was investigating.
Home routers and modems continue to be a major security risk for consumers and remote workers, and a threat to organizations. Just last month researchers uncovered a new botnet of 100,000 compromised machines, comprised mainly of UPnP-enabled home routers.