As we get ready to flip the calendar to December, I’ve been getting and seeing a lot of 2013 predictions. I haven’t begun to glimpse at them yet — I prefer to wait until we’re a little closer to the end of the year — but I do wonder if (or how much) mention will be given to security threats to Apple devices. To me, 2012 seemed like the year of the Mac Attack, the year when Apple began appearing frequently in security stories, and not in a good way. So it is fitting that as the year begins to wind down, I see another security story that involves an iOS vulnerability. This one involves email opened on Apple devices and routers. According to InformationWeek:
Security researcher Bogdan Calin identified the cross-site request forgery (CSRF) vulnerability after noticing that by default, all Apple devices are set to load remote images — meaning images that haven’t been sent with the email. “A malicious user can send you an email with an embedded 1×1 pixel image with the background color of your email client, so it is not visible,” he said in a blog post. “The email client will load this image from a remote server.”
How does this involve the router? With the exploit, the attacker will have the ability to change the router’s DNS settings. The new setting is directed to a server controlled by the attacker. This can allow the attacker to “listen” in all of the Internet traffic on the router or allow click-jacking scams.
And, not surprisingly, it is all made possible because of what has become the weakest link in security: the password. In explaining why this attack works at all, PC Magazine stated:
Many people don’t change the default password because it doesn’t occur to them that a malicious user can gain access to that interface, Calin said, noting that even those who do change it frequently select a weak password.
I thought it was strange that this was a problem that appears to affect only Apple devices, but Calin also explained that it could just as easily affect Google and Gmail. A typical phishing scheme will work, he said, and as InformationWeek pointed out:
Although Gmail doesn’t load remote images by default — users must click a button to do so — if remote images from a sender are downloaded once, Gmail will automatically download them from the same sender in the future.
Luckily, the fix this time is fairly easy: Change the defaults. Don’t use the default password for your router. Don’t use the automatic loading of remote images. Or, basically, don’t depend on the passive security for any of your hardware.