Are your IoT gizmos, music boxes, smart home kit vulnerable to DNS rebinding attacks? Here's how to check

Fancy website, code emitted – Roku, Google, etc stuff at risk


A technique for attacking computer networks, first disclosed more than a decade ago, has resurfaced as a way to manipulate Internet-of-Things gadgets, smart home equipment, and streaming entertainment gizmos.

Researcher Brannon Dorsey this week posted an essay explaining how smart home hardware can be vulnerable to a trick known as DNS rebinding.

He also crafted this website that, with your permission, will run JavaScript in your browser to detect whether or not you have any devices vulnerable to DNS rebinding on your network. Try it out if you're worried about being at risk. It only works, mind you, if your network uses 192.168.1.x IP addresses.

First disclosed at RSA 2008 by researcher Dan Kaminsky, a DNS rebinding attack allows a malicious webpage open in a browser to access and potentially commandeer a device on a local network, sidestepping the same-origin policy checks that usually guards against such attacks.

While rebinding attacks have been made more difficult to pull off on modern browsers and networks, some systems remain vulnerable to reliable attacks. Earlier this year, Blizzard had to address the issue in its update tool, and exploits targeting cryptocurrency wallets also used the technique.

Now, Dorsey claims, home networks and internet-connected appliances will have to be added to that list. The infosec bod explained that, by connecting users to a compromised DNS server, a web browser can remotely receive and relay commands to devices on their local network.

Young guy facepalms while holding a laptop

Pwn goal: Hackers used the username root, password root for botnet control database login

READ MORE

Among the hardware that could be manipulated by such an attack are WiFi routers, streaming video and music boxes (such as Roku or Google Home gear), and smart thermostats, or other connected appliances.

"Many of these devices offer limited or non-existent authentication to access and control their services," Dorsey explained. "They inherently trust other machines on the network in the same way that you would inherently trust someone you’ve allowed into your home."

In effect, the attack would use the browser as an entry point to infiltrate the local network.

As with previous attack techniques, Dorsey's method involves tricking a user into visiting a booby-trapped webpage – via something like a phishing email or XSS exploit – that runs scripting code to contact a malicious DNS server to look up a domain name.

Rather than resolve the domain name to an outside server's IP address, however, Dorsey's technique would have the DNS server return a local network address of a connected appliance, allowing the page to then access the device as if were the user. All the while, the browser that has been fooled into carrying out the attack would present the user with no alert to indicate anything has gone awry.

To demonstrate, Dorsey has produced proof-of-concept code showing how the technique can force a home thermostat to raise its own temperature.

Dorsey said he has notified vendors including Roku and Google of the vulnerability, so expect patches to land soon for your equipment. The issue is likely to span thousands of devices, and vendors and will require some time to fully address the security shortcomings.

"The implications and impact of an attack like this can have far reaching and devastating effects on devices or services running on a private network," Dorsey wrote. "By using a victim’s web browser as a sort of HTTP proxy, DNS rebinding attacks can bypass network firewalls and make every device on your protected intranet available to a remote attacker on the internet." ®

Similar topics

Broader topics


Other stories you might like

  • Google sours on legacy G Suite freeloaders, demands fee or flee

    Free incarnation of online app package, which became Workplace, is going away

    Google has served eviction notices to its legacy G Suite squatters: the free service will no longer be available in four months and existing users can either pay for a Google Workspace subscription or export their data and take their not particularly valuable businesses elsewhere.

    "If you have the G Suite legacy free edition, you need to upgrade to a paid Google Workspace subscription to keep your services," the company said in a recently revised support document. "The G Suite legacy free edition will no longer be available starting May 1, 2022."

    Continue reading
  • SpaceX Starlink sat streaks now present in nearly a fifth of all astronomical images snapped by Caltech telescope

    Annoying, maybe – but totally ruining this science, maybe not

    SpaceX’s Starlink satellites appear in about a fifth of all images snapped by the Zwicky Transient Facility (ZTF), a camera attached to the Samuel Oschin Telescope in California, which is used by astronomers to study supernovae, gamma ray bursts, asteroids, and suchlike.

    A study led by Przemek Mróz, a former postdoctoral scholar at the California Institute of Technology (Caltech) and now a researcher at the University of Warsaw in Poland, analysed the current and future effects of Starlink satellites on the ZTF. The telescope and camera are housed at the Palomar Observatory, which is operated by Caltech.

    The team of astronomers found 5,301 streaks leftover from the moving satellites in images taken by the instrument between November 2019 and September 2021, according to their paper on the subject, published in the Astrophysical Journal Letters this week.

    Continue reading
  • AI tool finds hundreds of genes related to human motor neuron disease

    Breakthrough could lead to development of drugs to target illness

    A machine-learning algorithm has helped scientists find 690 human genes associated with a higher risk of developing motor neuron disease, according to research published in Cell this week.

    Neuronal cells in the central nervous system and brain break down and die in people with motor neuron disease, like amyotrophic lateral sclerosis (ALS) more commonly known as Lou Gehrig's disease, named after the baseball player who developed it. They lose control over their bodies, and as the disease progresses patients become completely paralyzed. There is currently no verified cure for ALS.

    Motor neuron disease typically affects people in old age and its causes are unknown. Johnathan Cooper-Knock, a clinical lecturer at the University of Sheffield in England and leader of Project MinE, an ambitious effort to perform whole genome sequencing of ALS, believes that understanding how genes affect cellular function could help scientists develop new drugs to treat the disease.

    Continue reading

Biting the hand that feeds IT © 1998–2022