The H – (International) Email hacks router. A whole range of Arcor, Asus, and TP-Link routers are vulnerable to being reconfigured remotely without authorization. A security researcher demonstrates that just displaying an email within the router’s own network can have far-reaching consequences: when opened, his specially crafted test email reconfigures the wireless router so that it redirects the user’s internet data traffic. The attack uses the Cross-Site Request Forgery (CSRF) technique. The researcher embedded images whose source URL (src=) points to the router’s default IP address (often 192.168.1.1) in his HTML test email. The URL contains parameters that instruct the router’s Web interface to modify the Domain Name System (DNS) server configuration. As the URL also contains the admin password for the Web interface, the attack will only be successful if the user has left the default password unchanged. The security researcher says that attacks are successful on devices such as Arcor’s EasyBox A 600. When displaying the email, the email client will attempt to retrieve the embedded picture from this URL. The router, however, will interpret the parameters as an instruction from the user to configure a different DNS server. Once the changes have been made, any DNS queries will be handled by the configured DNS server, which is controlled by the attacker. From then on, the sender of the email can freely direct the user to arbitrary Web servers.
Ali Loney, on November 30, 2012