Content, Content, EMEA, Europe

Telecom Data Security Flaw: Orange SA Modems Leak WiFi Info

A picture taken on December 5, 2012 shows the logo of French telecom group Orange-France Telecom displayed at LeWeb Paris 2012 in Saint-Denis, near Paris.  AFP PHOTO ERIC PIERMONT

A security flaw recently was discovered that exposed the WiFi credentials from more than 19,000 modems from French telecommunications operator Orange S.A., according to Bad Packets Report. Most of the affected devices were found on the Orange Espana network, which is based in Spain.

Remote unauthenticated users can leverage the security flaw to obtain an Orange Livebox ASDL modem's SSID and WiFi password, Bad Packets Report indicated. They also can use the security flaw to modify a modem's settings or firmware, obtain the phone number linked to the device and perform other exploits.

How Was the Security Flaw Discovered?

Bad Packets Report scanned 30,063 Orange Livebox ASDL modem IPv4 hosts and discovered the following:

  • 19,490 modems leaked WiFi credentials in plaintext.
  • 8,391 modems did not respond to the scans.
  • 2,018 modems did not leak any information, but the modems' WiFi credentials were publicly accessible on the Internet.

Nearly 15,000 Orange Livebox ASDL modems have been patched against the security flaw as of December 29, Bad Packets Report stated.

What Can Organizations Learn from the Orange Livebox ASDL Modem Data Leak?

The Orange Livebox ASDL modem data leak highlights the importance of setting up a unique password for modems and other devices.

Many Orange Livebox ASDL modems that leaked their WiFi password did not feature a custom device password, Bad Packets Report noted. In fact, these modems had the factory default "admin/admin" credentials in place.

Ultimately, MSSPs can provide password best practices to help organizations avoid data leaks and breaches. Common password best practices include:

  • Implement a password policy. Teach employees how to set up secure passwords across all of an organization's devices.
  • Use complex passwords. Implement passwords that contain at least eight characters and include a mix of special characters, uppercase and lowercase letters and numbers.
  • Set up a different password for each account. Use a distinct password for each account; otherwise, an organization exposes its sensitive data to unnecessary risk.
  • Update passwords regularly. Require employees to update their passwords approximately every 30 to 60 days.

MSSPs also can help organizations keep pace with evolving cyber threats. To do so, MSSPs can provide security services and resources to ensure that organizations are well-equipped to prevent cyberattacks both now and in the future.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.