The Email that Hacks You

AlexNguyenAlexNguyen Member Posts: 358 ■■■■□□□□□□
Source: How an email Could Compromise your Wireless Router.

Opening a legitimate looking email on an iPhone, iPad or Mac while using an Asus router with a default or guessable password could compromise the security of your internal network.

There's a short video that demonstrates the problem.
In this demonstration, the victim receives an email - when the email is opened, the internal network is compromised (The DNS servers used by the router were changed to an IP address controlled by the attacker).
Knowledge has no value if it is not shared.
Knowledge can cure ignorance, but intelligence cannot cure stupidity.

Comments

  • paulgswansonpaulgswanson Member Posts: 311
    nice, that looks stupidly easy... My passwords are obviously secure but I think im gonna start checking the source code on my spams emails just for giggles to see whats hidden in there. I would never have though that the div section could contain dirty code like that.
    http://paulswansonblog.wordpress.com/
    WGU Progress: B.S. Network Management & Design <- I quit (got bored)
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    BTW, I see no reason why this would not work on an Android or any other device for that matter, if it autoloaded the images.
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    Someone uses Asus routers?
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    That's exactly what I thought when I read it!
  • nosoup4unosoup4u Member Posts: 365
    In soviet rus.......
  • jibbajabbajibbajabba Member Posts: 4,317 ■■■■■■■■□□
    Asuwhat?
    My own knowledge base made public: http://open902.com :p
  • RoguetadhgRoguetadhg Member Posts: 2,489 ■■■■■■■■□□
    I'm glad I'm not the only one that thought "Asus made routers?!"

    What's next, a Nike Switch?
    In order to succeed, your desire for success should be greater than your fear of failure.
    TE Threads: How to study for the CCENT/CCNA, Introduction to Cisco Exams

  • ZartanasaurusZartanasaurus Member Posts: 2,008 ■■■■■■■■■□
    nosoup4u wrote: »
    In soviet rus.......
    Beat me to it. :)
    Currently reading:
    IPSec VPN Design 44%
    Mastering VMWare vSphere 5​ 42.8%
  • SephStormSephStorm Member Posts: 1,731 ■■■■■■■□□□
    I always knew that auto-ex email code was an issue, and yet every version of microsoft outlook, and some other email clients auto open emails when you click on them, and I believe runs in html mode by default, allowing images to be loaded. I propose a petition to remove the preview pane as a default setting.

    (its also interesting that I was reading an old security book that says instead of deleting malicious emails you should open them an view the (possibly falsified) headers... I guess the author wasn't aware of falsified headers, or autoloaded malware.)
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    the_Grinch wrote: »
    Someone uses Asus routers?

    I bought an Asus RT-N66U router when my original one died. I got it based on reviews that it was one of the best performing home routers available now.
  • LizanoLizano Member Posts: 230 ■■■□□□□□□□
    Asus makes routers?

    I love their tablets, but routers?
  • ptilsenptilsen Member Posts: 2,835 ■■■■■■■■■■
    I'm surprised this is the first such vulnerability I've read about. I've been wondering for a long time now what would stop some kind of exploit or otherwise nefarious activity from taking place in HTML embedded in emails. It's so stupidly easy to implement that I'm really shocked we don't run into it all the time.

    As far as Asus routers, all the Taiwanese computer/networking/component companies eventually expand into each others' markets. Anyone who has watched Newegg much over the years will see it. It's to the point where you can almost pick a vendor and make a PC using entirely their components (with CPUs as the obvious exception).
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
  • jgilljgill Member Posts: 15 ■□□□□□□□□□
  • eansdadeansdad Member Posts: 775 ■■■■□□□□□□
    I don't see why it would be limited to just Asus routers, the article mentions that they only tested this on 2 Asus routers and that others are possible. I would guess with a little more scripting (maybe a call to a rainbow file) any password could be cracked. Would make the email larger but how many users actually check the email size?

    Thinking of testing it out on some older Belkin and DLinks I have laying around.
Sign In or Register to comment.