Update: Seems to be working on TP-Link Routers as well (tested on TL-WR841N).
Update2: Arcor EasyBox A600 also seems vulnerable.
Opening a legitimate looking email on an iPhone, iPad or Mac while using an Asus router with a default or guessable password could compromise the security of your internal network. I conducted tests on two Asus routers - Asus RT-N16 and Asus RT-N56U - and the attack was successful. It is possible that other routers could be affected, including those not manufactured by Asus.
I've prepared a short video that demonstrates the problem. In this demonstration, the victim receives an email - when the email is opened, the internal network is compromised (The DNS servers used by the router were changed to an IP address controlled by the attacker).
I got the idea for these tests after I noticed that Apple devices load remote images in emails by default. This can cause privacy issues and it is not a recommended practice. A malicious user can send you an email with an embedded 1x1 pixel image with the background colour of your email client, so it is not visible. The email client will load this image from a remote server and by doing so, it discloses your IP address and email client banner, and possible your identity. In some situations, such behaviour can have catastrophic consequences.
Since Apple devices are loading remote images by default, my first idea was to try to attack the home router. At home I am using the ASUS RT-N16 router.
The router, like many other routers, is using basic authentication to restrict access to the administrative interface. Once you've entered the administrative interface, you can send a POST request to apply changes to the configuration.
Unfortunately many people do not change the default router password because they do not even know about it, or simply do not care. It never crosses their mind that a malicious user can gain access to that interface. Even those who change the password often use a weak password.
In this test, if we manage to send a POST request using an email with an image, we can reconfigure the router. It turns out though that this router accepts configuration parameters from both POST and GET requests. Therefore, it is possible to take all the POST parameters, convert them to GET parameters and send an email to the victim containing an image with its source pointing to the router's configuration URL. To increase the chances of this attack succeeding, I can send multiple images in the email; one with the default username and password for the router and others with most common passwords. The complete attack looks like this:
As we can see from the source code above, in the email we included a div which loads a number of iframes - the GET requests are actually URL’s that are typically used to configure the router.
This attack worked perfectly on my ASUS RT-N16 router and it also works on another router: ASUS RT-N56U. I have only tested with these two routers but any router that accepts configuration changes from GET parameters and doesn't protect against CSRF should be vulnerable to this simple attack. I can also confirm that this attack works on iPhone, iPad and Mac's default mail client.
The recommended practice is not to load remote images by default, or ask the user to click a button to load them, like gmail. I have also found out that even gmail will load remote images without asking for permission if you have already responded once to the sender of that email. So using such attack against a gmail user is also very simple: send a plain text email that will intrigue the victim to reply and once he or she replies, send an email with a tracking image.
I have contacted Apple about this problem and their suggestion was to disable the "Load Remote Images" option. To do this you need to go Settings -> Mail, Contacts, Calendars and look for the "Load Remote Images" in the Mail section. You need to disable this option to protect yourself against this attack. However by disabling this option, if somebody sends you an email with an embedded image you will not be able to see it.
Another option to prevent such an attack is to simply set a strong password for your home router.