
Orange Livebox ADSL modems are leaking their WiFi credentials - bad_packets
https://badpackets.net/over-19000-orange-livebox-adsl-modems-are-leaking-their-wifi-credentials/
======
JorgeGT
Archive:
[https://web.archive.org/web/20181223120225/https://badpacket...](https://web.archive.org/web/20181223120225/https://badpackets.net/over-19000-orange-
livebox-adsl-modems-are-leaking-their-wifi-credentials/)

I have one of these routers, excuse me while I panic/check the vulnerability.

Edit: Checked. It sure leaks the password in plaintext to a simple curl call.
I have no words.

~~~
cissou
Any patch available beyond making your box unavailable to the internet?

~~~
tyingq
OpenWRT seems to be an option if it's Livebox 2.1 or earlier.

~~~
tropin
Well, an option if you don't mind losing ADSL(1) and wifi from your ADSL
router.

(1) It's not clear: the docs mention an Annex working but it's not the same as
the one the hardware provides?

------
tyingq
Apparently, not really news. Here's a blog post from 2015:
[http://tecnicaquilmes.fullblog.com.ar/analizando-el-
livebox-...](http://tecnicaquilmes.fullblog.com.ar/analizando-el-
livebox-21-de-orange.html)

 _" get_getnetworkconf.cgi -> Another very funny one that gives us the WIFI
password without the need for authentication."_

It lists several other issues, as well as the default admin login.

~~~
WrtCdEvrydy
Yeah, but that was in Mexican... noone cared about reading that.

/sarcasm.

------
userbinator
Remember when completely open WiFi everywhere (no password, just connect and
get Internet) was the norm? One of the famous professionals in the security
industry even bragged about it:

[https://www.schneier.com/blog/archives/2008/01/my_open_wirel...](https://www.schneier.com/blog/archives/2008/01/my_open_wireles.html)

Too bad everything seems to be locked down in the name of security these days,
and even the slightest gaps seem to cause a lot of panic. I miss those days of
essentially free Internet everywhere...

~~~
tyingq
I suspect copyright craziness has hindered this as well. Even if you have a
separate VLAN for your open WiFi, I can torrent a movie and get the RIAA/MPAA
chasing you.

~~~
segfaultbuserr
In fact, the primary motivation of locking down an AP with a WPA password,
from an infosec perspective, was NOT ABOUT stop people from using free
Internet connection, BUT to harden against the technical limitation of
WPA/WPA2 - the protocol, by design, CANNOT offer encryption on an open
network, widespread usage of SSL/TLS was only a recently development, it used
to be that you cannot run a open AP without COMPLETELY COMPROMISE EVERYONE's
security and privacy on your network, INCLUDING YOUR OWN. The better way of
doing it, is creating a separate AP, setting up a password and showing it
publicly, then the attacker at least needs to intercept an individual
handshake before being able to decrypt a portion of traffic. The even better
way is WPA-Enterprise, but... In short, the Wi-Fi standard itself
unnecessarily forces everyone to make a hard choice between security and
openness.

Fortunately, and hopefully, the awakened situation is going to be solved, WPA3
supports encryption on an open AP. Also, WPA3 offers forward secrecy, the
traffic cannot be decrypted by passive monitoring unless the attacker is also
a Man-in-the-Middle.

BTW, as tyingq said, copyright is a factor, but I think laws in generally are
a bigger problem. Under the laws of many jurisdictions, the Wi-Fi user may be
responsible for all the legal consequences of other people who is using
his/her Wi-Fi. Routing the guest AP over an anonymous VPN connected via Tor
may be a solution to the legal challenge, but a legal issue needs a real legal
solution.

If you are interested in sharing your Wi-Fi, read
[https://openwireless.org/](https://openwireless.org/)

------
nathanlied
It's quite interesting to me to see something like this here. A few years back
(turn of the decade) I discovered a similar problem in the equipment of a
fairly large ISP, albeit a little bit more serious (think root access). Their
fix was to put that port behind a whitelist, with the only IP address able to
access it remotely belonging to the ISP.

The problem is, this is one of those ISPs that have an extra SSID on their
CPEs for "free" internet, think Xfinity, but this wasn't Comcast, and this
vulnerability stems from an HTTPd misconfiguration, so if you can access the
equipment's HTTPd (all you need to do is a single, unauthenticated request,
so, really any access will do), you've got full access.

I went through some trouble to contact, via third parties, an insider at this
ISP with the power to get things fixed - they did fix the remote part (via the
aforementioned firewall whitelisting), but I was told, in no uncertain terms,
that they didn't care enough to fix the root of the issue, as long as it
wasn't massively exploitable, and it wasn't public.

I like my freedom/money too much to publicize details, and so it's still
there, all these years later. I wonder how many vulnerabilities like this are
out there, fully known by the vendors/providers, but nothing gets done about
them because people are too scared to disclose, until eventually someone comes
along and blows the whistle, or the equipment is obsoleted?

~~~
j1elo
Doing some anonymous disclosure wouldn't be an option? All their users should
know about how their provider treats security issues. We cannot choose with
our wallets if we don't have the information to make an informed decision...

------
a012
ISP provided modem/router is a joke, they just order from cheap vendors in
China and make brand names for themselves. Usually it's so bad at firmware and
software, and no security practices in mind.

~~~
segfaultbuserr
A pure DSL/cable/fiber-optics modem is relatively okay, assuming it's a sane
unit, it only does modulation-demodulation on Layer-1/2 with little attack
surface. The bad thing is nowadays they usually came from the ISP as a
modem/router combined unit, and neither the performance nor security is ideal.

I always see an ISP-provided router as a hazardous & untrusted device. If it
offers bridged PPPoE, I would configure it so it works as a pure modem, even
it means breaking into the telnet console. Otherwise, I would rather put my
own router behind it, double-NAT and firewall it out of my own network.

In Germany, the _Choice and Connection of Telecommunication Terminal Devices
Act_ have been passed with the support of free and open source community,
which ensure a user can use their own router to connect a broadband network.

[https://fsfe.org/activities/routers/timeline.en.html](https://fsfe.org/activities/routers/timeline.en.html)

~~~
marmottus
If you live in/know about Germany, could you suggest a good alternative to the
Kabel Deutschland basic CBN router? I have no clue how the registration to the
network would work if I buy a third party router connected directly to my
cable input.

~~~
SuMu2600
You can register the modem via a web portal during the first connection. After
a few days you get the activation code via snail mail. But third party cable
modems are expensive in Germany. You can also use the provided modem in bridge
mode and use a better router behind hit.

~~~
iforgotpassword
That works with KD? F __king unitymedia removed bridge mode from their
firmware. :(

------
jasonjayr
Though not technically a leak, Verizon's FiOS routers report your current WIFI
password to Verizon (not just the default the router ships with), presumably
for customer support reasons.

I didn't expect it to do that, so that was a bit of a surprise.

~~~
iagovar
That is pretty standard for any ISP that uses ACS. It allows a tech op to
manage the router remotely, which is something most customers both demand and
hate.

~~~
matthewmacleod
Why would the tech need the local WiFi password in order to remotely manage
the router?

~~~
jeroenhd
One of the most common problems in ISP customer support is customers changing
their default WiFi password (good) but forgetting it (bad). Then their laptop
crashes and they need their replacement laptop to connect to the WiFi.

This is also the moment a customer will straight up deny the existence of
ethernet cables or claim to have never heard of any Internet-related device
that does not use WiFi.

To satisfy these customers, you need to be able to either read out the WiFi
password or have some way to push a new one. As it's just plain easier to just
allow full-on access to the modem GUI for their customer service agents, it's
often possible to read any passwords or settings from the help desk.

~~~
y04nn
I would not expect my ISP to have access to my plaintext WIFI password. The
ISP agent should either be able to push a new WIFI password via the internet
link (in a secure authenticated manner) or ask the customer to hold a button
on the device to reset it to its default password.

~~~
firethief
You have high expectations. I would never run a WiFi hotspot configured by my
ISP.

------
erwan
I found a pretty bad exploit of the Livebox 1.1 back in 2012. I was trying to
find a way to replace the shipped firmware by OpenWRT. Never heard back from
Sagem/Orange but the vuln was quietly fixed in a later release. I never knew
if they never acknowledged it on purpose or fixed it by accident! Funny to see
this on HN. Brings back good memories.

~~~
JorgeGT
Searching for the vulnerability address one can find this from 2012 in fact:
[https://www.heyrick.co.uk/blog/index.php?diary=20120905&keit...](https://www.heyrick.co.uk/blog/index.php?diary=20120905&keitai=0)

~~~
erwan
Cool find! But this for the Livebox 2 (newer version), my "work" was on the
Livebox 1.1 (:

I shall write something about it one day, just to immortalize it!

------
coin
This is why you should always put a reputable router+WAP in front of the ISP
supplied modem.

~~~
cronix
Additionally, buy your own modem and save (a lot of) money by not leasing it
forever from the ISP.

~~~
iforgotpassword
See the point is, going for pure modem means you have to deal with all the
VoIP crap too. I'm on VDSL currently and after checking the prices of VDSL
modems and reading up on what I'd need to get VoIP running with my DECT phone
I went like "screw this" and decided to rent their shitty device for two bucks
a month.

~~~
cronix
Ah, I only use their internet/tv services so I only needed to worry about the
cablemodem and dvr (a free cablecard from them decrypts tv so you can use your
own "tivo like device"). I purchased my equipment about 5 years ago for about
$100 and don't rent/lease any of their gear. It's saved quite a bit over the
years.

~~~
iforgotpassword
I change plans every two years. It's ridiculous how much of a discount you get
if you are a new customer and sign up for two years. Currently I'm paying 15€
for 25m/7m. After two years it would increase to 25 iirc. That's on VDSL.
Before that I was on cable (120m/6m) for 18€ and it would have been 39€ after
those two years. It's not that I'm that poor but it just feels like they shit
on their customers once they've been acquired.

------
aflam
Related issue: my ISP uses as default wifi password part of the router's MAC
address... It could be the kind of problem described in the article - but the
site seems down.

------
StapleHorse
A little bit off topic. I find out about this because I set up some Google
alerts some time ago for the brands of my network hardware. I'm now at my
parents for the holidays and I would miss this news if I hadn't received the
email alert.

------
leokennis
I remember supporting these modems in The Netherlands in 2010, when some of
them were already 5 years old. So basically, it’s an almost 14 year old
design...I’m really surprised people still have these things in active use.

------
mmaunder
Anyone able to access the site? DDoSd for me. Perhaps post a text snapshot
here until they get it back up? I tweeted Troy to let them know.

~~~
Ded7xSEoPKYNsDd
[https://twitter.com/bad_packets/status/1076797149524811777](https://twitter.com/bad_packets/status/1076797149524811777)

------
ytqaz
This would be completely mitigated by rolling out CG-NAT for all customers.
Orange Espana has been working on this for their fibre customers (I think
almost all of them are behind CG-NAT already), but ADSL customers are still
waiting for it.

~~~
philjohn
Well, except for attackers behind the CG-NAT.

Also, CG-Nat is a HORRIBLE technology that causes lots of problems for
subscribers all fo the sake of allowing an ISP to sell their IPV4 space off at
a premium and pump up their numbers if a quarter demands it.

I'm with Virgin cable in the UK and they are going to IPv6 soon ... but with
DS-Lite, so CG-NAT for IPv4 (yay, I can't connect back to my home VPN if I'm
on an IPv4 only network) but native IPv6 (sort of yay).

You then also have the issues with online services, IP bans etc. etc. etc.

CG-NAT is nothing to be cheered on, and is worse than useless for "security".

~~~
robk
Is that definite on Virgin? Seems uncertain still...

~~~
philjohn
It's the method LG have decided on for all their cable networks, and according
to this presentation from earlier this month, it's still the plan (and let's
face it, if they changed to dual stack now it would take them another 4+ years
to get it rolled out ... snails have NOTHING on the LG network operations
team): [https://www.ipv6.org.uk/wp-content/uploads/2018/11/LG-
Virgin...](https://www.ipv6.org.uk/wp-content/uploads/2018/11/LG-Virgin-
IPv6-Rollout-UK-IPv6-Council.pdf)

