DNS Rebinding Is Back and Exposing Half a Billion IoT Devices to Attack
DNS Rebinding Is Back and Exposing Half a Billion IoT Devices to Attack
DNS rebinding is posing a serious threat to IoT and unmanaged devices. Click here to learn more about DNS rebinding and what you can do to protect your devices.
Join the DZone community and get the full member experience.Join For Free
It's been a relatively quiet year when it comes to cyber security attacks. While there have been plenty of small attacks, including ones where we've seen security vulnerabilities exposed, and we've not seen a resurgence of the international widescale ransomware attacks of last year like wannacry and notpetya. But, there have — of course — been plenty of attacks with everything from an attack on the City of Atlanta to an attack on the Pyeongchang Winter Olympics. Unsurprisingly, IoT remains a persistent pain point for all things cybersecurity, but, with a twist, DNS rebinding is back.
According to cybersecurity company Armis (who discovered the Blueborne vulnerability in 2017), there are over half a million devices that are vulnerable around the world. IoT security lends no favors with no real industry standards or laws. This demonstrates why it has been determined that nearly half a billion devices are vulnerable worldwide. It's not only that many connected devices have appallingly bad security, but DNS rebinding bypasses traditional security tech. Most companies can’t see or monitor connected devices and are unable to determine if they're compromised. Furthermore, patching connected devices is difficult at scale.
Armis has found that the issue impacts hundreds of millions of IoT and other unmanaged devices used inside almost every enterprise. From smart TVs to printers, digital assistants to IP phones and more, the exposure leaves organizations vulnerable to compromise, data exfiltration, and to devices getting hijacked for another Mirai-like attack.
What Is DNS Rebinding?
DNS rebinding takes advantage of a nearly decade-old flaw in web browsers that allow a remote attacker to bypass a victim’s network firewall and use their web browser as a proxy to communicate directly with vulnerable devices on the local network.
An example of a vulnerable device is one that is running an unauthenticated protocol like Universal Plug and Play (UPnP) or HTTP (used on unencrypted web servers). These protocols are commonly used to host administrative consoles (for routers, printers, IP cameras), allow easy access to the device’s services (for example, streaming video players), and are pervasive in businesses.
Vulnerabilities Are Everywhere
The Armis research team found that large enterprises are particularly exposed to DNS rebinding attacks. Just this week, Cisco Systems is issuing software updates to tackle a high-risk vulnerability in several VoIP phone models. This vulnerability could allow a remote attacker to perform a command injection and execute commands with the privileges of the web server. This is the type of scenario that can be leveraged via a DNS Rebinding attack.
Printers — one of the least managed, most poorly configured devices — were also identified in their research. Aside from adjusting basic network configurations, enterprises typically deploy printers with default settings, making them an ideal target for a DNS rebinding attack. Once compromised, printers can be a vector through which an attacker:
- Exfiltrates information by downloading documents scanned, stored, or cached on the printer
- Launches a larger attack within the enterprise, similar to how an attacker used a fish tank thermostat to exfiltrate 10 GB of data from a casino in North America to a remote server in Finland.
How It Works
For anybody who thinks IoT devices are safe because they sit behind a firewall, this is not the case. DNS rebinding manipulates the trust model between browsers and the outside world, effectively allowing a remote attacker to compromise IoT devices, just as if the attacker were already on the internal network. Here’s how a DNS rebinding attack works:
Step 1: Leverage the User’s Browser
Step 2: Scan the Local Network to Detect the Presence of a Particular Type of Device
- Then, the browser sends the results back to the malicious website.
Again, since all of this activity appears to be normal end-user communication from the perspective of the firewall, it does not block any of the traffic.
Step 3: Access the IoT device
- The malicious website sends an appropriate set of commands to the end user's browser, for example, commands to log into the HTTP web server of a security camera on the internal network.
- Using DNS rebinding, the browser sends those commands directly to the IP address of the IoT device inside the private network.
The command that the browser sends can control the IoT device, compromise the device, or extract information such as unique identifiers and Wi-Fi access point SSIDs. Since all of this traffic is between the browser on the end user's laptop or desktop and the IoT device, the firewall never sees this traffic, and, thus, it can’t block any of it.
Manufacturers of IoT devices typically assume that other devices on the same network are trusted. Thus, the devices ship with open, unencrypted services, like HTTP, and trust the malicious commands executed by the local end user's browser in this phase of the attack.
Step 4: Establish an Outbound Connection to a C and C Server Directly From the Compromised IoT/Unmanaged Device
The firewall typically considers outbound connections to be safe, so this connection is not scrutinized or blocked by the firewall in the same way that an inbound connection would be. The firewall is working exactly as it was designed and exactly how it's configured. Still, the attacker is now inside the network with a persistent presence.
Not All Is Lost: Here's How to Protect Yourself:
Short of redesigning how browsers and DNS servers work, there are some steps that you can take to protect your organization from a DNS rebinding attack taking over IoT and unmanaged devices:
- The fastest and easiest solution is to begin monitoring all devices immediately — especially unmanaged devices — for signs of a breach.
- Take an inventory of all your IoT devices and identify which ones belong to different network segments, so they can’t be discovered or compromised using a DNS rebinding attack. Not all devices can be moved to a different segment, but the more you can move, the better.
- Perform a risk analysis of each of your IoT devices. Some devices are riskier than others. Some devices have easily attackable interfaces, such as HTTP servers, and some don’t. Rather than do this risk assessment manually, look for an automated way to assess all devices at once.
- Make your IoT devices less vulnerable, for example, by disabling services that you don’t need, such as UPnP, changing the password to each device’s HTTPS server, and updating device software whenever possible. Conduct different software updates to manually download and apply to each device.
Of course, it is always advisable to make judicious decisions when purchasing (and connecting) IoT devices — lest you regret the decision in the near future after an opportune hacking. Don't hold your breath waiting for patches from the device manufacturer. Patching all these devices against DNS rebinding attacks is a colossal task, requiring patches from many vendors that can't even be reliable in responding to lesser threats. You're pretty much on your own here.
Opinions expressed by DZone contributors are their own.