Routers from at least three different manufacturers are vulnerable to being compromised by an email sent to any Apple devices using the network.
Security researcher Bogdan Calin identified the cross-site request forgery (CSRF) vulnerability after noticing that by default, all Apple devices are set to load remote images — meaning images that haven’t been sent with the email. “A malicious user can send you an email with an embedded 1×1 pixel image with the background color of your email client, so it is not visible,” he said in a blog post. “The email client will load this image from a remote server.”
Instead of setting the image to load from a remote server, however, an attacker could instead make the email perform an HTTP GET request that points to the URL for the router’s administrative interface. Because numerous routers ship with default usernames and passwords, and many users fail to change those settings, the email could also authenticate to the administrative interface and alter the router’s configuration, for example to change its DNS settings.
Thanks to the exploit, an attacker could change the router’s DNS settings to point to an attacker-controlled server, enabling them to run a clickjacking scam — redirecting users’ search requests to sites of the attackers’ own choosing — as well as to eavesdrop on all Internet traffic flowing to or from the router.
“To increase the chances of this attack succeeding, I can send multiple images in the email; one with the default username and password for the router and others with most common passwords,” said Calin, who’s a Web application security researcher at Acunetix. Using iFrames, the attack commands can also be executed in the correct order, for example first authenticating to the router, and then changing settings.
Calin said he’s demonstrated the attack against two types of Asus routers (RT-N16 and RT-N56U), as well as the Arcor EasyBox A600 and routers from TP-Link. But many more types of routers are likely vulnerable. “Any router that accepts configuration changes from GET parameters and doesn’t protect against CSRF should be vulnerable to this simple attack,” he said. “I can also confirm that this attack works on iPhone, iPad and Mac’s default mail client,” but the . . . read more
Source: Information Week