Yesterday, we warned you about this location privacy security flaw that affects Google’s Chromecast and Home gadgets. This scary vulnerability in these Google devices can potentially reveal your location with pinpoint precision.
The flaw is reportedly a result of poor authentication systems on the Chromecast and the Google Home. Basically, these devices don’t require authentication when a request is coming over the local network.
However, the attack uses a technique called DNS rebinding to make it look like its commands are coming locally.
Now, it turns out, it’s not just Google products that are vulnerable to a DNS rebinding attack. Virtually every streaming gadget out there can be susceptible to DNS rebinding attacks too.
Read on and learn why this particular attack is causing everyone to scramble for a fix.
What is DNS rebinding?
New research published by independent security researcher Brannon Dorsey highlighted the dangers of DNS rebinding attacks on a number of popular smart gadgets.
His list included the Google’s Chromecast and Home smart speaker, Roku streaming gadgets, Sonos Wi-Fi speakers and smart home thermostats.
Basically, DNS rebinding allows an attacker to infiltrate your private home Wi-Fi network by fooling your web browser to communicate with your local gadgets directly.
DNS rebinding is not exactly a new attack technique. It’s been known since 2007 but since it was tricky to execute, requiring a variety of steps and tools, computer and manufacturers didn’t consider it a serious threat.
However, with the rise of universal plug-and-play protocols (UPnP), smart appliances that automatically communicate and the recently discovered DNS rebinding vulnerabilities in popular software including Blizzard Entertainment’s game update agent and the cryptocurrency Ethereum’s mining client, DNS rebinding flaws are now carefully reconsidered.
How does DNS rebinding work?
Are you sometimes glad that your streaming gadgets seem to communicate effortlessly with your smartphone, computer and other streaming gadgets?
Say, when you want to “cast” a video from your phone to a Chromecast, a list of available streaming devices seems to magically appear on your phone, right? Well, that convenience is what this flaw is taking advantage of.
In simple terms, DNS rebinding tricks your web browser into issuing commands to vulnerable devices in your network. Since vulnerable streaming gadgets currently lack checks for requests coming from the local network, they will execute the commands willingly.
You can skip this part, but here’s a more technical breakdown of the attack:
- First, an attacker puts up a malicious server that handles all DNS queries for a specific malicious website and domain.
- The attacker will then try and trick a user into loading the malicious website or domain via phishing attacks or banner ads.
- When the victim opens the poisoned link, their web browser will make a DNS request looking for the IP address of the malicious website. Initially, the attacker’s DNS server will respond with the website’s real IP address.
- The attacker’s DNS server will also set the browser’s Time To Live (TTL) value to one second. This forces the browser’s cached data to be quickly discarded and revalidated.
- However, due to the short TTL value, the browser will quickly issue another DNS lookup request.
- This time, the malicious DNS server will respond with a local IP address instead (for example, the address of your local connected gadget). Your web browser won’t notice this switcheroo.
- Since your local streaming gadget automatically accepts requests coming from your local network without authentication, the commands will be executed.
Refresher: What is DNS? DNS or domain name system is often called the phone book for the internet. It translates the numerical IP addresses of websites to domain names that are easier to read and remember.
According to Dorsey, aside from the Chromecast and Google Home vulnerabilities, here are the other gadgets that were found to be susceptible to DNS rebinding attacks:
Roku streaming gadgets
Roku gadgets like the Roku streaming boxes and Roku streaming sticks appear to have a locally accessible API server on port 8060.
By using DNS rebinding techniques, an attacker can send requests to this server and have a Roku perform basic tasks like app launching, type with the Roku’s virtual keyboard and even search and play for content.
Apparently, Roku didn’t consider DNS rebinding as a serious threat initially but based on Dorsey’s findings, the company reconsidered and it is now rolling out a patch to fix the flaw.
Sonos connected speakers
Sonos Wi-Fi speakers have a UPnP endpoint on port 1400 that can be used to run commands that will map your entire network.
Although not a remote access flaw, an attacker can use a Sonos to gather vital information about your local network and the gadgets that are connected.
Sonos acknowledged the issue and is planning on pushing a fix by mid-July.
Radio smart home thermostats
Dorsey also found a DNS rebinding vulnerability on Radio Thermostat models CT50 and CT80. This flaw exposes these gadgets’ user interface to the local network with no authentication whatsoever.
Through DNS rebinding, an attacker can then access the thermostat’s controls, modify settings and even change a room’s temperature.
Routers were originally the main targets of DNS rebinding attacks. Attackers usually use these techniques to gain access to routers whose default admin passwords haven’t been changed by exploiting a router’s UPnP server.
Turning your house into a smart home is exciting but be careful! Listen to my Komando On Demand podcast to learn how to watch for the warning signs so technology doesn’t take over your home.
How to protect yourself from DNS rebinding attacks
Since vendors are now scrambling to roll out fixes to patch DNS rebinding flaws on their respective gadgets, please apply them as soon as possible. It may take a few weeks, but hopefully, all the updates will be out by mid-July.
With this renewed interest on DNS rebinding flaws, we’re also counting on smart appliance and Internet-of-Things gadget makers to take extra steps in ensuring that their products have proper local authentication.
We suspect that this is just the initial list of gadgets vulnerable to DNS rebinding attacks and we’re expecting more to surface in the next few weeks so stay tuned.
Until then, there’s really not much you can do against this attack except being extra careful with websites you visit and ads you click on. There’s no real evidence that this is being actively exploited but for now, just employ good security practices by not clicking on unknown links, websites and attachments.
Use DNS filtering
For extra protection against DNS rebinding, you can set up your router to use a DNS service that can be configured to filter out your local private IP ranges from DNS lookups (such as OpenDNS Home).
Turn off UPnP
UPnP or Universal Plug and Play is a feature that is enabled by default in most consumer routers. This allows your network’s home appliances that support UPnP to discover and connect with each other without password authentication.
While it is a convenient feature, UPnP is commonly exploited by hackers to connect to your network remotely. For your safety, consider turning your router’s UPnP features off.
Set up a separate network
Another effective way to protect yourself from Internet-of-Things attacks such as this one is to put your smart appliances on a separate network that’s different from your main one.
You can do this by setting up a completely different Wi-Fi router or by simply enabling your router’s “Guest Network” option, a popular feature for most routers. Note: Make sure you enable encryption and password-protect your guest network too.
This way, your more critical personal devices, like your personal computers, smartphones, and tablets, are segregated from specific Internet-Of-Things attacks.