Hackers can lure users to phishing sites, block updates and replace downloaded files

Oct 30, 2013 11:00 GMT  ·  By

Security researcher Jakob Lell has come across malicious websites that exploit a cross-site request forgery (CSRF) vulnerability in some TP-Link routers in an effort to change the device’s upstream DNS server IP addresses.

The CSRF vulnerability was first reported to TP-Link in April 2013 by Jacob Holcomb and the vendor has addressed the security hole for some devices. However, the attack still works against a number of routers, especially if they’re not running updated versions of firmware.

By changing a router’s upstream DNS server, cybercriminals can launch man-in-the-middle attacks and perform various tasks.

They can redirect victims to phishing sites or browser exploits, block software updates, replace legitimate ads with rogue ones, replace executable files downloaded from trustworthy websites, and even hijack email accounts if the email client doesn’t use a secure connection.

The expert has identified five unrelated websites that host the exploit. The exploit is designed to change the router’s primary nameserver to one of three IP addresses – although the researcher says there are likely more of them that he hasn’t spotted.

However, so far, Lell hasn’t been able to determine what the cybercriminals plan on doing with the malicious DNS servers.

The list of affected devices includes TP-Link WR1043ND V1 up to firmware version 3.3.12 build 120405, TP-Link TL-MR3020 firmware version 3.14.2 Build 120817 Rel.55520n and version 3.15.2 Build 130326 Rel.58517n, and TL-WDR3600 firmware version 3.13.26 Build 130129 Rel.59449n and version 3.13.31 Build 130320 Rel.55761n.

For some TP-Link devices, the vulnerability has been fixed with the latest firmware updates. In the case of TL-WDR3600, the security hole cannot be exploited in the default configuration.

On Jakob Lell’s blog, you can find additional technical details, recommendations on how to protect yourself, and ways of finding out if your device is affected.