In the mobile remote maintenance function, which serves the configuration of FritzBox routers and the access to telephone lists and media files over the FritzBox, another gap was discovered. This vulnerability lies in the MyFritz apps for Android and iOS, and allows it to attack under certain conditions on the web interface of the router.
Attackers can use the session ID of the legitimate user and install themselves as a user. Thus they have, for example, access to the telephone function of the FritzBox. Cyber criminals could use this gap for telephone fraud or even cut traffic.
The problem arises when you register the mobile apps on your home router. The security hole was discovered by "Heise Security" and is explained there as follows: The communication is "encrypted over HTTPS with the router" but this has "the" SSL certificate [..] not yet sufficiently checked ". Thus, for example, when accessing via a public hotspot, the router could be easily taken over by a "man-in-the-middle attack."
According to the Heise security specialists, AVM has closed the gap in the mobile apps. Users of the MyFritz app for iOS and Android should therefore install the latest version - via the App Store or Google Play. This saves the certificate at the first connection in the router. Subsequent manipulations and changes then only lead to error messages. After the app update, the connections in the home network must be set up again.
No comments:
Post a Comment