Are your IoT gizmos, music boxes, smart home kit vulnerable to DNS rebinding attacks? Here's how to check

Fancy website, code emitted – Roku, Google, etc stuff at risk


A technique for attacking computer networks, first disclosed more than a decade ago, has resurfaced as a way to manipulate Internet-of-Things gadgets, smart home equipment, and streaming entertainment gizmos.

Researcher Brannon Dorsey this week posted an essay explaining how smart home hardware can be vulnerable to a trick known as DNS rebinding.

He also crafted this website that, with your permission, will run JavaScript in your browser to detect whether or not you have any devices vulnerable to DNS rebinding on your network. Try it out if you're worried about being at risk. It only works, mind you, if your network uses 192.168.1.x IP addresses.

First disclosed at RSA 2008 by researcher Dan Kaminsky, a DNS rebinding attack allows a malicious webpage open in a browser to access and potentially commandeer a device on a local network, sidestepping the same-origin policy checks that usually guards against such attacks.

While rebinding attacks have been made more difficult to pull off on modern browsers and networks, some systems remain vulnerable to reliable attacks. Earlier this year, Blizzard had to address the issue in its update tool, and exploits targeting cryptocurrency wallets also used the technique.

Now, Dorsey claims, home networks and internet-connected appliances will have to be added to that list. The infosec bod explained that, by connecting users to a compromised DNS server, a web browser can remotely receive and relay commands to devices on their local network.

Young guy facepalms while holding a laptop

Pwn goal: Hackers used the username root, password root for botnet control database login

READ MORE

Among the hardware that could be manipulated by such an attack are WiFi routers, streaming video and music boxes (such as Roku or Google Home gear), and smart thermostats, or other connected appliances.

"Many of these devices offer limited or non-existent authentication to access and control their services," Dorsey explained. "They inherently trust other machines on the network in the same way that you would inherently trust someone you’ve allowed into your home."

In effect, the attack would use the browser as an entry point to infiltrate the local network.

As with previous attack techniques, Dorsey's method involves tricking a user into visiting a booby-trapped webpage – via something like a phishing email or XSS exploit – that runs scripting code to contact a malicious DNS server to look up a domain name.

Rather than resolve the domain name to an outside server's IP address, however, Dorsey's technique would have the DNS server return a local network address of a connected appliance, allowing the page to then access the device as if were the user. All the while, the browser that has been fooled into carrying out the attack would present the user with no alert to indicate anything has gone awry.

To demonstrate, Dorsey has produced proof-of-concept code showing how the technique can force a home thermostat to raise its own temperature.

Dorsey said he has notified vendors including Roku and Google of the vulnerability, so expect patches to land soon for your equipment. The issue is likely to span thousands of devices, and vendors and will require some time to fully address the security shortcomings.

"The implications and impact of an attack like this can have far reaching and devastating effects on devices or services running on a private network," Dorsey wrote. "By using a victim’s web browser as a sort of HTTP proxy, DNS rebinding attacks can bypass network firewalls and make every device on your protected intranet available to a remote attacker on the internet." ®

Similar topics

Broader topics


Other stories you might like

  • This startup says it can glue all your networks together in the cloud
    Or some approximation of that

    Multi-cloud networking startup Alkira has decided it wants to be a network-as-a-service (NaaS) provider with the launch of its cloud area networking platform this week.

    The upstart, founded in 2018, claims this platform lets customers automatically stitch together multiple on-prem datacenters, branches, and cloud workloads at the press of a button.

    The subscription is the latest evolution of Alkira’s multi-cloud platform introduced back in 2020. The service integrates with all major public cloud providers – Amazon Web Services, Google Cloud, Microsoft Azure, and Oracle Cloud – and automates the provisioning and management of their network services.

    Continue reading
  • Cisco execs pledge simpler, more integrated networks
    Is this the end of Switchzilla's dashboard creep?

    Cisco Live In his first in-person Cisco Live keynote in two years, CEO Chuck Robbins didn't make any lofty claims about how AI is taking over the network or how the company's latest products would turn networking on its head. Instead, the presentation was all about working with customers to make their lives easier.

    "We need to simplify the things that we do with you. If I think back to eight or ten years ago, I think we've made progress, but we still have more to do," he said, promising to address customers' biggest complaints with the networking giant's various platforms.

    "Everything we find that is inhibiting your experience from being the best that it can be, we're going to tackle," he declared, appealing to customers to share their pain points at the show.

    Continue reading
  • Cloudflare explains how it managed to break the internet
    'Network engineers walked over each other's changes'

    A large chunk of the web (including your own Vulture Central) fell off the internet this morning as content delivery network Cloudflare suffered a self-inflicted outage.

    The incident began at 0627 UTC (2327 Pacific Time) and it took until 0742 UTC (0042 Pacific) before the company managed to bring all its datacenters back online and verify they were working correctly. During this time a variety of sites and services relying on Cloudflare went dark while engineers frantically worked to undo the damage they had wrought short hours previously.

    "The outage," explained Cloudflare, "was caused by a change that was part of a long-running project to increase resilience in our busiest locations."

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading
  • UK police to spend tens of millions on legacy comms network kit
    More evidence of where that half-a-billion-a-year cost of Emergency Services Network delay is going

    The UK's police service is set to spend up to £50 million ($62.7 million) buying hardware and software for a legacy communication network that was planned to become obsolete in 2019.

    The Home Office had planned to replace the Airwave secure emergency communication system, which launched in 2000, with a more advanced Emergency Services Network by the close of the decade. However, the legacy network has seen its life extended as its replacement was beset with delays. The ESN is expected to go live in 2026.

    In a procurement notice, the Police Digital Service (PDS) said it was looking for up to three suppliers of Terrestrial Trunked Radio (TETRA) Encryption Algorithm 2 (TEA2) compatible radio devices – including handheld, desktop, and mobile terminals – as well as software, accessories, services, and maintenance for use on the UK Airwave system.

    Continue reading
  • What if ransomware evolved to hit IoT in the enterprise?
    Proof-of-concept lab work demos potential future threat

    Forescout researchers have demonstrated how ransomware could spread through an enterprise from vulnerable Internet-of-Things gear.

    The security firm's Vedere Labs team said it developed a proof-of-concept strain of this type of next-generation malware, which they called R4IoT. After gaining initial access via IoT devices, the malware moves laterally through the IT network, deploying ransomware and cryptocurrency miners while also exfiltrating data, before taking advantage of operational technology (OT) systems to potentially physically disrupt critical business operations, such as pipelines or manufacturing equipment.

    In other words: a complete albeit theoretical corporate nightmare.

    Continue reading

Biting the hand that feeds IT © 1998–2022