Half a Billion IoT Devices Vulnerable to DNS Rebinding Attacks


Armis, the cyber-security firm that discovered the BlueBorne vulnerabilities in the Bluetooth protocol, warns that nearly half a billion of today’s “smart” devices are vulnerable to a decade-old attack known as DNS rebinding.

Spurred by recent reports regarding DNS rebinding flaws in Blizzard apps, uTorrent, and Google Home, Roku TV, and Sonos devices, the company has recently analyzed the impact this type of attack has on Internet-of-Things-type of devices.

What is a DNS rebinding attack

DNS rebinding attacks are when an attacker tricks a user’s browser or device into binding to a malicious DNS server and then make the device access unintended domains.

DNS rebinding attacks are normally used to compromise devices and use them as relay points inside an internal network. A typical DNS rebinding attack usually goes through the following stages:

1)  Attacker sets up a custom DNS server for a malicious domain.
2)  Attacker fools victim into accessing a link for this malicious domain (this can be done via phishing, IM spam, XSS, or by hiding a link to the malicious domain on a malicious site or inside ads delivered on legitimate sites).
3)  The user’s browser makes a query for that domain’s DNS settings. 4)  The malicious DNS server responds, and the browser caches an address like XX.XX.XX.XX.
5)  Because the attacker has configured the DNS TTL setting inside the initial response to be one second, after one second, the user’s browser makes another DNS request for the same domain, as the previous entry has expired and it needs a new IP address for the malicious domain.
6)  The attacker’s malicious DNS setting responds with a malicious IP address, such as YY.YY.YY.YY, usually for a domain inside the device’s private network.
7)  Attacker repeatedly uses the malicious DNS server to access more and more of these IPs on the private network for various purposes (data collection, initiating malicious actions, etc.).

Almost all types of IoT devices are vulnerable

Armis says that IoT and other smart devices are perfect for attackers to target via DNS rebinding, mainly due to their proliferation inside enterprise networks, where they can play a key role into facilitating reconnaissance and data theft operations.

Experts say that following their investigation, they found out that nearly all types of smart devices are vulnerable to DNS rebinding, ranging from smart TVs to routers, from printers to surveillance cameras, and from IP phones to smart assistants.

All in all, experts put the number of vulnerable devices in the hundreds of millions, estimating it at roughly half a billion.

Don’t expect a massive patching effort

Patching all these devices against DNS rebinding attacks is a colossal task that may never be done, requiring patches from vendors that can’t be bothered with security for trivial flaws like XSS and CSRF vulnerabilities, let alone complex attacks such as DNS rebinding.

But Armis experts say that integrating IoT devices into current cyber-security monitoring products may be the easiest and cost-effective solution, rather than looking and auditing new devices to replace the old ones.

Because IoT security has been a proverbial shitshow for the past year, the cyber-security market has reacted and adapted, and there are now many firms that provide specialized platforms for monitoring IoT devices for enterprises which want to avoid nasty surprises.

For example, just recently PIR Bank of Russia got a nasty surprise when discovered that hackers stole $1 million after they breached its network thanks to an outdated router.

It’s not the 2000s anymore, and any respectable company nowadays must update its threat model to account for IoT devices, regardless if their vulnerable to DNS rebinding or any other flaw.