A whole range of Arcor, Asus and TP-Link routers are vulnerable to being reconfigured remotely without authorisation. On his blog, security researcher Bogdan Calin demonstrates that just displaying an email within the router's own network can have far-reaching consequences: when opened, his specially crafted test email reconfigures the wireless router so that it redirects the user's internet data traffic. An attacker could exploit this to, for example, redirect unwitting users to a phishing site and harvest their details when they are trying to log into facebook.com.

The attack uses the Cross-Site Request Forgery (CSRF) technique. Calin embedded images whose source URL ( src= ) points to the router's default IP address (often 192.168.1.1) in his HTML test email. The URL contains parameters that instruct the router's web interface to modify the DNS server configuration. As the URL also contains the admin password for the web interface, the attack will only be successful if the user has left the default password unchanged. A full CSRF URL could look something like this: http://admin:password@192.168.1.1/start_apply.htm?dnsserver=66.66.66.66



The security researcher says that attacks are successful on devices such as Arcor's EasyBox A 600. When displaying the email, the email client will attempt to retrieve the embedded picture from this URL. The router, however, will interpret the parameters as an instruction from the user to configure a different DNS server. Once the changes have been made, any DNS queries will be handled by the configured DNS server, which is controlled by the attacker. From then on, the sender of the email can freely direct the user to arbitrary web servers.

The security researcher opened his test emails with the iOS and Mac OS X default email clients, which load images in HTML emails without prior confirmation. iOS users can disable this functionality with the "Load Remote Images" switch under "Mail, Contacts, Calendar" in the Settings menu. Calin says that Gmail will also load images if a user has previously replied to emails from that user. Other email clients may also load images without requesting prior confirmation.

Calin says that he successfully attacked Asus RT-N16 and RT-N56U routers, TP-Link routers such as the TL-WR841N, and the Arcor EasyBox A 600. Further models are likely to be vulnerable as new CSRF holes in routers continue to surface. Users can protect their routers from being compromised by changing their router password to something other than the default – advice which is applicable to this as well as various other attack scenarios.

Tools such as the OWASP CSRFTester can track down holes in the web applications and web interfaces of network-enabled devices. A case in Brazil demonstrates that CSRF attacks can be launched not only via HTML emails, but also via specially crafted web pages: according to Kaspersky Lab, 4.5 million routers in Brazil were successfully compromised this way.

(djwm)