A technique for attacking computer networks, first disclosed more than a decade ago, has resurfaced as a way to manipulate Internet-of-Things gadgets, smart home equipment, and streaming entertainment gizmos.
Researcher Brannon Dorsey this week posted an essay explaining how smart home hardware can be vulnerable to a trick known as DNS rebinding.
First disclosed at RSA 2008 by researcher Dan Kaminsky, a DNS rebinding attack allows a malicious webpage open in a browser to access and potentially commandeer a device on a local network, sidestepping the same-origin policy checks that usually guards against such attacks.
While rebinding attacks have been made more difficult to pull off on modern browsers and networks, some systems remain vulnerable to reliable attacks. Earlier this year, Blizzard had to address the issue in its update tool, and exploits targeting cryptocurrency wallets also used the technique.
Now, Dorsey claims, home networks and internet-connected appliances will have to be added to that list. The infosec bod explained that, by connecting users to a compromised DNS server, a web browser can remotely receive and relay commands to devices on their local network.
Pwn goal: Hackers used the username root, password root for botnet control database loginREAD MORE
Among the hardware that could be manipulated by such an attack are WiFi routers, streaming video and music boxes (such as Roku or Google Home gear), and smart thermostats, or other connected appliances.
"Many of these devices offer limited or non-existent authentication to access and control their services," Dorsey explained. "They inherently trust other machines on the network in the same way that you would inherently trust someone you’ve allowed into your home."
In effect, the attack would use the browser as an entry point to infiltrate the local network.
As with previous attack techniques, Dorsey's method involves tricking a user into visiting a booby-trapped webpage – via something like a phishing email or XSS exploit – that runs scripting code to contact a malicious DNS server to look up a domain name.
Rather than resolve the domain name to an outside server's IP address, however, Dorsey's technique would have the DNS server return a local network address of a connected appliance, allowing the page to then access the device as if were the user. All the while, the browser that has been fooled into carrying out the attack would present the user with no alert to indicate anything has gone awry.
To demonstrate, Dorsey has produced proof-of-concept code showing how the technique can force a home thermostat to raise its own temperature.
Dorsey said he has notified vendors including Roku and Google of the vulnerability, so expect patches to land soon for your equipment. The issue is likely to span thousands of devices, and vendors and will require some time to fully address the security shortcomings.
"The implications and impact of an attack like this can have far reaching and devastating effects on devices or services running on a private network," Dorsey wrote. "By using a victim’s web browser as a sort of HTTP proxy, DNS rebinding attacks can bypass network firewalls and make every device on your protected intranet available to a remote attacker on the internet." ®