DNS rebinding attacks are a real threat that could hit the billions of internet of things (IoT) devices in people’s homes, according to Craig Young, principal security researcher at Tripwire.
Young was speaking in the Geek Street Theatre on day three of the Infosecurity Conference at London’s Kensington Olympia.
During the session, Young explained the impact of the threat – which turns a victim’s browser into a proxy for attacking private networks – within IoT. “Over the years, I have found countless vulnerabilities in IoT products,” he said.
This is partly because IoT often uses HTTP, which is vulnerable to DNS rebinding. In the future, the consequences could be significant: Rebinding also opens new doors for botnets, according to Young.
“The problem is, defenders seem to discount this as a real threat, but in the future, someone might want to create a botnet and there will be more hosts to target,” he said.
During his research, Young found devices including the Google Home smart speaker were vulnerable to DNS rebinding attacks. “I was able to ask the Google Home to give me IP addresses of nearby access points so I could tell where devices were,” he explained.
Another class of devices vulnerable to DNS rebinding are IoT units using standards-based web services access protocol SOAP. “You can use this to steal data, disable devices and brick them,” he said.
Young said vulnerable IoT devices included the Belkin Wemo smart outlet and the Sonos connected speaker – the latter of which allowed him to play false content and rename or reset the device.
In order to prevent DNS rebinding attacks, Young advises mitigation at the DNS layer, segmenting networks, using the NoScript extension for Firefox or “various adblockers.”
At the same time, Young said: “Devices and everything else should be using HTTPS – which is not affected by DNS rebinding. All apps need authentication: Even if it’s a home network, it should have some kind of credential mechanism.”