DNS Rebinding Is Back and Exposing Half a Billion IoT Devices to Attack

DZone 's Guide to

DNS Rebinding Is Back and Exposing Half a Billion IoT Devices to Attack

DNS rebinding is posing a serious threat to IoT and unmanaged devices. Click here to learn more about DNS rebinding and what you can do to protect your devices.

· IoT Zone ·
Free Resource

It's been a relatively quiet year when it comes to cyber security attacks. While there have been plenty of small attacks, including ones where we've seen security vulnerabilities exposed, and we've not seen a resurgence of the international widescale ransomware attacks of last year like wannacry and notpetya. But, there have — of course — been plenty of attacks with everything from an attack on the City of Atlanta to an attack on the Pyeongchang Winter Olympics. Unsurprisingly, IoT remains a persistent pain point for all things cybersecurity, but, with a twist, DNS rebinding is back.

According to cybersecurity company Armis (who discovered the Blueborne vulnerability in 2017), there are over half a million devices that are vulnerable around the world. IoT security lends no favors with no real industry standards or laws. This demonstrates why it has been determined that nearly half a billion devices are vulnerable worldwide. It's not only that many connected devices have appallingly bad security, but DNS rebinding bypasses traditional security tech. Most companies can’t see or monitor connected devices and are unable to determine if they're compromised. Furthermore, patching connected devices is difficult at scale.

Armis has found that the issue impacts hundreds of millions of IoT and other unmanaged devices used inside almost every enterprise. From smart TVs to printers, digital assistants to IP phones and more, the exposure leaves organizations vulnerable to compromise, data exfiltration, and to devices getting hijacked for another Mirai-like attack.

What Is DNS Rebinding?

DNS rebinding takes advantage of a nearly decade-old flaw in web browsers that allow a remote attacker to bypass a victim’s network firewall and use their web browser as a proxy to communicate directly with vulnerable devices on the local network.

An example of a vulnerable device is one that is running an unauthenticated protocol like Universal Plug and Play (UPnP) or HTTP (used on unencrypted web servers). These protocols are commonly used to host administrative consoles (for routers, printers, IP cameras), allow easy access to the device’s services (for example, streaming video players), and are pervasive in businesses.

Vulnerabilities Are Everywhere

The Armis research team found that large enterprises are particularly exposed to DNS rebinding attacks. Just this week, Cisco Systems is issuing software updates to tackle a high-risk vulnerability in several VoIP phone models. This vulnerability could allow a remote attacker to perform a command injection and execute commands with the privileges of the web server. This is the type of scenario that can be leveraged via a DNS Rebinding attack.

Last month, IP Security Cameras (an ironic name in this particular instance) were identified among the most at risk amongst the 10 vulnerabilities published in Axis and Foscam cameras.

Printers — one of the least managed, most poorly configured devices — were also identified in their research. Aside from adjusting basic network configurations, enterprises typically deploy printers with default settings, making them an ideal target for a DNS rebinding attack. Once compromised, printers can be a vector through which an attacker:

  • Exfiltrates information by downloading documents scanned, stored, or cached on the printer
  • Launches a larger attack within the enterprise, similar to how an attacker used a fish tank thermostat to exfiltrate 10 GB of data from a casino in North America to a remote server in Finland.

How It Works

For anybody who thinks IoT devices are safe because they sit behind a firewall, this is not the case. DNS rebinding manipulates the trust model between browsers and the outside world, effectively allowing a remote attacker to compromise IoT devices, just as if the attacker were already on the internal network. Here’s how a DNS rebinding attack works:

Step 1: Leverage the User’s Browser

  1. The user clicks on a link (phishing or not) that takes them to a malicious site, or a site with malicious JavaScript.
  2. The malicious JavaScript runs on the user’s local browser. For example, the user goes to a sports site to get the latest World Cup scores called (fictiously) world sportscores.com. This site may host HTML ads that might be running malicious JavaScript; this JavaScript is not identified as malicious by a firewall, network security solution, or even an endpoint protection.

Step 2: Scan the Local Network to Detect the Presence of a Particular Type of Device

  1. Using DNS rebinding and JavaScript, the malicious website commands the end-user browser to scan local IP addresses.
  2. Then, the browser sends the results back to the malicious website.

Again, since all of this activity appears to be normal end-user communication from the perspective of the firewall, it does not block any of the traffic.

It is important to note that steps 1 and 2 take place the minute the user enters a site that hosts the malicious JavaScript. And, within that time, the attacker is effectively inside the company network.

Step 3: Access the IoT device

  1. The malicious website sends an appropriate set of commands to the end user's browser, for example, commands to log into the HTTP web server of a security camera on the internal network.
  2. Using DNS rebinding, the browser sends those commands directly to the IP address of the IoT device inside the private network.

The command that the browser sends can control the IoT device, compromise the device, or extract information such as unique identifiers and Wi-Fi access point SSIDs. Since all of this traffic is between the browser on the end user's laptop or desktop and the IoT device, the firewall never sees this traffic, and, thus, it can’t block any of it.

Manufacturers of IoT devices typically assume that other devices on the same network are trusted. Thus, the devices ship with open, unencrypted services, like HTTP, and trust the malicious commands executed by the local end user's browser in this phase of the attack.

Step 4: Establish an Outbound Connection to a C and C Server Directly From the Compromised IoT/Unmanaged Device

The firewall typically considers outbound connections to be safe, so this connection is not scrutinized or blocked by the firewall in the same way that an inbound connection would be. The firewall is working exactly as it was designed and exactly how it's configured. Still, the attacker is now inside the network with a persistent presence.

Not All Is Lost: Here's How to Protect Yourself:

Short of redesigning how browsers and DNS servers work, there are some steps that you can take to protect your organization from a DNS rebinding attack taking over IoT and unmanaged devices:

  1. The fastest and easiest solution is to begin monitoring all devices immediately — especially unmanaged devices — for signs of a breach.
  2. Take an inventory of all your IoT devices and identify which ones belong to different network segments, so they can’t be discovered or compromised using a DNS rebinding attack. Not all devices can be moved to a different segment, but the more you can move, the better.
  3. Perform a risk analysis of each of your IoT devices. Some devices are riskier than others. Some devices have easily attackable interfaces, such as HTTP servers, and some don’t. Rather than do this risk assessment manually, look for an automated way to assess all devices at once.
  4. Make your IoT devices less vulnerable, for example, by disabling services that you don’t need, such as UPnP, changing the password to each device’s HTTPS server, and updating device software whenever possible. Conduct different software updates to manually download and apply to each device.

Of course, it is always advisable to make judicious decisions when purchasing (and connecting) IoT devices — lest you regret the decision in the near future after an opportune hacking. Don't hold your breath waiting for patches from the device manufacturer. Patching all these devices against DNS rebinding attacks is a colossal task, requiring patches from many vendors that can't even be reliable in responding to lesser threats. You're pretty much on your own here.

connected devices ,cybersecurity ,security

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}