The Email that Hacks You

Update: Seems to be working on TP-Link Routers as well (tested on TL-WR841N).
Update2: Arcor EasyBox A600 also seems vulnerable.

Opening a legitimate looking email on an iPhone, iPad or Mac while using an Asus router with a default or guessable password could compromise the security of your internal network. I conducted tests on two Asus routers -  Asus RT-N16 and Asus RT-N56U - and the attack was successful. It is possible that other routers could be affected, including those not manufactured by Asus.

I've prepared a short video that demonstrates the problem. In this demonstration, the victim receives an email - when the email is opened, the internal network is compromised (The DNS servers used by the router were changed to an IP address controlled by the attacker).

Technical Details

I got the idea for these tests after I noticed that Apple devices load remote images in emails by default. This can cause privacy issues and it is not a recommended practice. A malicious user can send you an email with an embedded 1x1 pixel image with the background colour of your email client, so it is not visible. The email client will load this image from a remote server and by doing so, it discloses your IP address and email client banner, and possible your identity. In some situations, such behaviour can have catastrophic consequences.

Since Apple devices are loading remote images by default, my first idea was to try to attack the home router. At home I am using the ASUS RT-N16 router.

The router, like many other routers, is using basic authentication to restrict access to the administrative interface. Once you've entered the administrative interface, you can send a POST request to apply changes to the configuration.

Unfortunately many people do not change the default router password because they do not even know about it, or simply do not care. It never crosses their mind that a malicious user can gain access to that interface. Even those who change the password often use a weak password.

In this test, if we manage to send a POST request using an email with an image, we can reconfigure the router. It turns out though that this router accepts configuration parameters from both POST and GET requests. Therefore, it is possible to take all the POST parameters, convert them to GET parameters and send an email to the victim containing an image with its source pointing to the router's configuration URL. To increase the chances of this attack succeeding, I can send multiple images in the email; one with the default username and password for the router and others with most common passwords. The complete attack looks like this:

the email that hacks you

As we can see from the source code above, in the email we included a div which loads a number of iframes - the GET requests are actually URL’s that are typically used to configure the router.

This attack worked perfectly on my ASUS RT-N16 router and it also works on another router: ASUS RT-N56U. I have only tested with these two routers but any router that accepts configuration changes from GET parameters and doesn't protect against CSRF should be vulnerable to this simple attack. I can also confirm that this attack works on iPhone, iPad and Mac's default mail client.

Solution

The recommended practice is not to load remote images by default, or ask the user to click a button to load them, like gmail. I have also found out that even gmail will load remote images without asking for permission if you have already responded once to the sender of that email. So using such attack against a gmail user is also very simple: send a plain text email that will intrigue the victim to reply and once he or she replies, send an email with a tracking image.

I have contacted Apple about this problem and their suggestion was to disable the "Load Remote Images" option. To do this you need to go Settings -> Mail, Contacts, Calendars and look for the "Load Remote Images" in the Mail section. You need to disable this option to protect yourself against this attack. However by disabling this option, if somebody sends you an email with an embedded image you will not be able to see it.

Load Remote Images

Another option to prevent such an attack is to simply set a strong password for your home router.

 

Leave a Reply


*

    • Bogdan Calin

      I didn’t tested on Android phones. I cannot say.

      November 27, 2012 at 8:05 pm Reply
    • dario90

      Android block images first if with the Hotmail app. You need to click “show images” to see the images.

      December 3, 2012 at 3:48 am Reply
  1. very interesting…

    November 27, 2012 at 8:39 pm Reply
  2. Alaa

    Hi Bogdan, I have a question on how this works. I’m not really an HTML expert, but what does “executing” the attack have to do with loading the image? From the code, there’s a normal img src tag, with the link of the image, and then comes the invisible iframes. I mean, how is the image connected with the iframes? What’s the use of disabling loading images? Wouldn’t that just skip loading the “img src” tag, but still go ahead and execute the rest of the code, which is the “iframe src” tag?

    November 28, 2012 at 6:18 am Reply
    • Bogdan Calin

      Apple doesn’t have a separate settings for image, iframe, frame tags and other tags. They have only one setting “Disable remote images” and when you disable that option no remote content will be loaded. So, when you disable remote images you also disable iframes, frames and so on.

      November 28, 2012 at 8:28 am Reply
  3. Nice CSRF attack !
    This attack can be conducted againt any router having CSRF issues, not only Asus!

    good one anyway.

    November 28, 2012 at 8:56 am Reply
    • Bogdan Calin

      Thanks, I suspect other routers are affected. I’ve only had access to these 2 Asus routers and only tested those.

      November 28, 2012 at 9:02 am Reply
  4. If anyone test any other router and the test is successful let us know :)

    November 28, 2012 at 10:39 am Reply
  5. David

    Seems to work on TP-Link Routers, too. At least TL-WR841N should be vulnerable.
    You just have to use other GET Parameters:
    user:pw@RouterIP/userRpm/WanDynamicIpCfgRpm.htm?mtu=1500&manual=2&dnsserver=ServerIP&dnsserver2=ServerIP&Save=Save

    But you have to set mtu as well because otherwise the router throws an error…

    November 28, 2012 at 1:13 pm Reply
    • Bogdan Calin

      Very interesting. Thanks David, I will update the story.

      November 28, 2012 at 1:58 pm Reply
  6. Pingback: Email, który zmieni DNSy w Twoim domowym ruterze | Zaufana Trzecia Strona

  7. Pingback: The Email that Hacks You

  8. David

    lol Is there anybody who have a router without this csrf vulnerability? I just tested my Arcor EasyBox A600 and it’s vulnerable, too, just with a little difference:
    you need 2-3 iframes, which are loaded in the right order: one to login (target: //routerIp/cgi-bin/login.exe?user=User&pws=Password),
    one for changing dns settings (target: //routerIp/cgi-bin/setup_dns_ddns.exe?page=dns_ddns_main&dns1_1=XXX&dns1_2=XXX&dns1_3=XXX&dns1_4=XXX&dns2_1=XXX&dns2_2=XXX&dns2_3=XXX&dns2_4=XXX)
    and one for logout, but you don’t have to logout (target: //routerIp/cgi-bin/logout.exe)

    November 28, 2012 at 4:23 pm Reply
    • Bogdan Calin

      Thanks, updated the post.

      November 28, 2012 at 7:11 pm Reply
  9. bhadreshpurani

    very interesting

    November 28, 2012 at 4:49 pm Reply
  10. So what happens when a user opens the email?

    November 28, 2012 at 5:01 pm Reply
    • Bogdan Calin

      When a user opens the email, the iPad browser will load a hidden iframe that will reconfigure the router.

      November 28, 2012 at 7:09 pm Reply
  11. Bill

    The vast majority of computer illiterate use webmail, which also tends to load remote images by default.

    November 29, 2012 at 1:11 am Reply
  12. Interesting! Thanks for sharing.

    November 29, 2012 at 8:08 am Reply
  13. Pingback: Onderzoeker hackt routers via e-mail | SFIX – Advanced Security Services & ICT Solutions

  14. jj

    How about an even simpler remedy, changing the lan setup on your router to 192.168.1.2 or 192.168.2.1?

    November 29, 2012 at 5:31 pm Reply
    • Bogdan Calin

      Yes, that would work for this particular script but it’s easy to bypass.

      November 29, 2012 at 5:48 pm Reply
  15. Pingback: Mail hackt Router | Edv-Sicherheitskonzepte.de – News Blog aus vielen Bereichen

  16. RazonT

    What’s the point in that?

    Every website could include such an iframe or img tag to “hack” the router.
    And that’s not “new”.
    Why is this blogpost only talking about mail?
    Most mordern Routers have randomly generated default passwords written on their back or are forcing the user to change the password after first login. If they don’t do that, it’s the fault of the Router, not the E-Mail Client.

    November 30, 2012 at 9:11 am Reply
    • Bogdan Calin

      There are still a lot of routers that don’t force the user to change the password. Actually, I’ve never encountered one until now and I’ve tried at least 10 routers in the past 3 years. This blog post talks about default passwords and guessable passwords. If you choose a bad password it’s still a problem.

      This attack shows that it’s possible to load external resources (imgs, iframes) using URLs with credentials.
      This should be fixed once and for all in iOS/Webkit (and the other browsers) by disabling resources loaded with credentials.

      At some point, as a protection for phishing, URLs with the format
      scheme://username:password@hostname/ were disabled. When you enter in the browser bar something like that it doesn’t work in most browsers.

      I was surprised to see that doing something like [img src='scheme://username:password@hostname/path'] works in Chrome and Firefox but if you enter the same URL in the browser bar it doesn’t work. This doesn’t work in Internet Explorer, which is the right behavior in my opinion. I don’t see any good reason why something like this should work. Closing this in browsers will solve this problem once and for all.

      November 30, 2012 at 9:20 am Reply
      • RazonT

        Thank you for your response.
        I agree, that URLs containing Passwords for Basic-Auth/Browser-Auth are a security issue and should be disabled for resource loading. But that won’t “fix” the issue for websites, cause redirects might do the same and the problem is still there as long as this URLs are not disabled completly. Actually URLs with password are part of the URI RFC 2396 Part 3.2.2 (even though it’s not recommended to use in there).

        For my tests in up-to-date Chrome this URL directly in the browserbar works fine:
        //test:test@www.example.com/page/
        You are right, that microsoft disabled this “feature” in their browser according to: //support.microsoft.com/kb/834489/en

        I don’t know in what case you may need it, but I can think of multiple read only accounts to an ftp-server via URL. This will break. I think I was looking for drivers once and the driver manufacturer forwarded me to an ftp server with that URL-Scheme.

        I personally think that basic-auth is outdated for websites and should be replaced with a session based way including a “logout” button and restricted to POST-Forms only. In my opinion THAT’s the problem and not the browser/E-Mail clients.

        November 30, 2012 at 9:57 am Reply
        • Bogdan Calin

          Yes, it seems to work on Chrome now. I remember I’ve tested some time ago and it didn’t worked.
          In Firefox, Safari and Opera it requests confirmation and in Internet Explorer doesn’t work at all.
          FTP URLs can remain as long as HTTP(s) URLs are disabled.
          HTML Form authentication would be another solution, yes.

          November 30, 2012 at 10:11 am Reply
          • Karl Cowden

            I am trying HARD to understand this whole thing; I use and recommended the Asus RT-NT56 router!

            IF you use a secure router login password, does this cause the described Email Hack to NOT work?

            December 3, 2012 at 12:31 am
          • Bogdan Calin

            Yes, if you use a secure password you are safe.

            December 3, 2012 at 8:24 am
  17. Pingback: Router sind durch E-Mails hackbar | AppleMe

  18. Pingback: WatchGuard Security Week in Review: Episode 42 – Vulnerability Markets | WatchGuard Security Center

  19. jools

    Did I understand correctly that we do not need the WLAN password (WPA2/WEP) for that?
    Because with having the WLAN password we could just do DNS spoofing with ettercap or arpspoof…

    December 1, 2012 at 12:56 pm Reply
  20. Very intresting. Tested it with gmail and it really loads the content without permission after one response. I would not have expected that.

    December 2, 2012 at 2:23 pm Reply
  21. Pingback: Linux Mint Czech - Zmente si defaultne heslo na svojom routeri

  22. Pingback: E-Mail hackt Router | Die Medienspürnase

  23. Pingback: Cuando se juntan el hambre con las ganas de comer | CyberHades

  24. Pingback: 华硕、TP-LINK路由器遭黑客攻击- FreebuF.COM

  25. Jim Nielsen

    Good find – but has this been tested on anything else than i… equipment..?

    December 3, 2012 at 10:48 pm Reply
  26. Pingback: How an email Could Compromise your Wireless Router. | Employ Yourself Jacksonville

  27. Pingback: John McAfee Out Of Belize, Dodges Authorities With Elaborate Ruse, According … | Employ Yourself Jacksonville

  28. Pingback: El ataque al e-mail en iPhone y iPad podría comprometer ruteadores | InformationWeek México

  29. Pingback: Thousands of Tumblr users hijacked by viewing viral post | Employ Yourself Jacksonville

  30. Jan Miller

    We ran the Acunetix Free Scan back in May and it crashed our site, unleashing an email attack of thousands of emails all from Acunetix. After spending countless hours in trying to repair our site, we have been operational for seven months, but now the same email attacks from Acunetix have started again. Our mail server crashed and we had to take our ecommerce site off line.

    Why is this happening? How can we find the malicious script that Acunetix injected into our site causing these mass emails with the Acunetix name on them?

    December 9, 2012 at 9:00 pm Reply
    • Bogdan Calin

      If scanning your site is causing such problems it means you have big security problems. Any attacker can cause the same problems that our scanner is causing.

      You need to perform a complete security audit to figure out what is happening, it’s impossible for us to let you know.
      These people will test your site, read the source code and figure out where is the problem.

      December 10, 2012 at 8:58 am Reply
  31. Pingback: CSRF-Angriff gefährdet DSL-Router

  32. Pingback: Malicious E-mail could Hack your Network by just Opening It « CYBER ARMS – Computer Security

  33. Pingback: iPhone, iPad Email Attack Could Compromise Routers | Mobile Weekly Buzz

  34. that was interesting and informative also

    March 5, 2013 at 6:59 pm Reply
  35. Pingback: Researcher Owns Internal Network after Victim Opens Email | Threatpost