Security company: many iot devices are vulnerable to dns rebinding
Security company Armis, known for the Blueborne leak, states that a large number of Iot devices are vulnerable to a so-called DNS rebinding attack. Based on its own research, it estimates that 496 million devices are vulnerable in corporate networks worldwide.
According to the company, these include routers, printers, cameras, TVs and phones, mainly in business networks. A dns rebinding attack occurs when a target, for example, visits a site set up by an attacker that contains malicious JavaScript. Another requirement is that the attacker has a malicious DNS server under control.
When the target visits the site, the dns server responds first with the actual address of the site, but with a very short ttl so that the address is only cached for a short time. However, during a second lookup, which is quickly followed by the short ttl, the dns server passes on a different address, for example an ip address on the local network. An attacker can also send a malicious command. Such an attack is not new and was already described in 2008.
Armis claims that in this way an attacker can, for example, collect information about devices on a local network, which is normally closed by a firewall. For example, administrative interfaces could be accessed via upnp or http. An attacker could then cause an IoT device to connect to a remote command-and-control server, Armis said.
The company’s warning resembles that of another researcher, Brannon Dorsey, who recently published a blog post about his findings. For example, he showed that it was possible to attack devices such as a Google Home or a Sonos speaker via DNS rebinding. The various manufacturers then indicated that they wanted to develop patches. The technique has also been used before for vulnerabilities in the FritzBox firmware, the uTorrent client and the Blizzard Update Agent. These examples are fairly recent, but in 2010, a researcher warned that certain routers were vulnerable.