What’s a new day without a new attack vector being published? Yesterday, Google, Roku, and Sonos all announced that they will be updating their home devices in order to address DNS rebinding attacks.
So what is a DNS rebinding attack? According to BleepingComputer.com,
The purpose of a DNS rebinding attack is to make a device bind to a malicious DNS server and then make the device access unintended domains. DNS rebinding attacks are usually used to compromise devices and use them as relay points inside an internal network. A typical DNS rebinding attack usually goes through the following stages:
1) Attacker sets up a custom DNS server for a malicious domain.
2) Attacker fools victim into accessing a link for this malicious domain (this can be done via phishing, IM spam, XSS, or by hiding a link to the malicious domain on a malicious site or inside ads delivered on legitimate sites).
3) The user’s browser makes a query for that domain’s DNS settings.
4) The malicious DNS server responds, and the browser caches an address like XX.XX.XX.XX.
5) Because the attacker has configured the DNS TTL setting inside the initial response to be one second, after one second, the user’s browser makes another DNS request for the same domain, as the previous entry has expired and it needs a new IP address for the malicious domain.
6) The attacker’s malicious DNS setting responds with a malicious IP address, such as YY.YY.YY.YY, usually for a domain inside the device’s private network.
7) Attacker repeatedly uses the malicious DNS server to access more and more of these IPs on the private network for various purposes (data collection, initiating malicious actions, etc.).
In short, an attacker can hijack your DNS queries and provide invalid (and malicious) responses.
So what should you do in response?
Actually, that is a tough question. This truly affects home users. It is not nearly as big a threat for enterprise administrators. Yes, every enterprise should mitigate this vulnerability through appropriate maintenance. And yes, if you place products/services within your customers’ home, then this is a current issue for you. But even if you are not involved today, it is important to note that as more devices in the home are becoming Internet-aware, this problem will become larger.
- As a customer, update your client software as soon as updates are made available by the vendors. This is a default answer for most things. But in this case, it applies as well. Fundamentally, the issue is with the client software. So the client software is where the fix must be applied. Google, Roku, and Sonos have already committed to bringing forward appropriate fixes.
- Press other product vendors to provide updates to their software. This includes: Amazon, Netgear, TP-Link, Phillips, Ikea (Tradfri), Blink, GE, and many others. As a professional, this is probably not your call to resolve. After all, do you really want to get involved in the dealings between a customer and another premise-device provider? Usually, I’d recommend keeping your nose out of other people’s business. But in this case, this is a matter of domestic hygiene. Your products and services will never work optimally if the entire home ecosystem is “polluted”. Of course, the biggest reason to be involved is to provide more mass in order to affect the “gravitational” effect upon these vendors. As an advocate for your customers, encourage your peers to “do the right thing”.
- As a homeowner, I would recommend running your own DNS, if you can. Maintain its currency to ensure that its software does not become the next attack vector. Unfortunately, this step won’t resolve the current problem. But it will resolve many other problems – especially problems imposed by lax ISP maintenance procedures. If you can’t run your own DNS, then use a logical (or physical) “proxy” for your DNS queries. This will resolve many of these issues. For example, your SmartThings hub can deal with the internet-based DNS services for your devices. But whatever technical steps you may take, please be a counselor and advocate for your customers. At the same time, maybe it’s time for your company to provide a DNS appliance solution. Maybe this isn’t just “table stakes” for the OEM router providers and the ISP’s. Maybe your company can economically provide a cool product that bundles DNS, ad blocking, and proxy services.
- If you use your own DNS, then use DNSSEC. This won’t be the short-term solution. Indeed, most IoT clients won’t have the processing power to provide authentication and encryption to a secure DNS infrastructure. But if you can bake this into your products, then do so – soon. Please, and thank you.
In the final analysis, this problem is an “edge” problem. So all solutions must occur at the edge. But if you are a service provider, then you have an obligation to your customers to act as a trusted advisor. Help them to be successful and they will help you to be successful.
https://www.bleepingcomputer.com/news/security/google-roku-sonos-to-fix-dns-rebinding-attack-vector/