A whole range of routers are vulnerable to possible reconfiguration remotely without authorization.
By just displaying an email within the router’s own network, security researcher Bogdan Calin said it can have far-reaching consequences: When opened, a specially crafted test email reconfigures the wireless router so it redirects the user’s Internet data traffic. The routers are Arcor, Asus and TP-Link.
An attacker could exploit this to redirect unwitting users to a phishing site and harvest their details when they are trying to log into facebook.com.
The attack uses the Cross-Site Request Forgery (CSRF) technique.
Calin embedded images whose source URL (src=) points to the router’s default IP address (often 192.168.1.1) in his HTML test email. The URL contains parameters that instruct the router’s web interface to modify the DNS server configuration. As the URL also contains the admin password for the web interface, the attack will only be successful if the user has left the default password unchanged. A full CSRF URL could look something like this: http://admin:email@example.com/start_apply.htm?dnsserver=188.8.131.52
When displaying the email, the email client will attempt to retrieve the embedded picture from this URL. The router will interpret the parameters as an instruction from the user to configure a different DNS server. Once the changes occur, any DNS queries will go through the configured DNS server, which the attacker controls. From then on, the sender of the email can freely direct the user to arbitrary web servers.
The security researcher opened his test emails with the iOS and Mac OS X default email clients, which load images in HTML emails without prior confirmation. iOS users can disable this functionality with the “Load Remote Images” switch under “Mail, Contacts, Calendar” in the Settings menu. Calin said Gmail will also load images if a user has previously replied to emails from that user. Other email clients may also load images without requesting prior confirmation.
Calin said he successfully attacked Asus RT-N16 and RT-N56U routers, TP-Link routers such as the TL-WR841N, and the Arcor EasyBox A 600. Further models could be vulnerable as new CSRF holes in routers continue to surface. Users can protect their routers from compromise by changing their router password to something other than the default – advice which is applicable to this as well as various other attack scenarios.
Tools such as the OWASP CSRFTester can track down holes in the web applications and web interfaces of network-enabled devices.