back to article Are your IoT gizmos, music boxes, smart home kit vulnerable to DNS rebinding attacks? Here's how to check

A technique for attacking computer networks, first disclosed more than a decade ago, has resurfaced as a way to manipulate Internet-of-Things gadgets, smart home equipment, and streaming entertainment gizmos. Researcher Brannon Dorsey this week posted an essay explaining how smart home hardware can be vulnerable to a trick …

  1. Gene Cash Silver badge

    Test website

    So it said:

    {{Object.keys(roku.devices).length}} Roku found

    {{Object.keys(googleHome.devices).length}} Google Home found

    {{Object.keys(radioThermostat.devices).length}} Radio Thermostat found

    {{Object.keys(phillips.devices).length}} Phillips Hue Bridge found

    {{Object.keys(sonos.devices).length}} Sonos speaker found

    And I don't have any of those devices. I have a couple Rasp-Pis, and my Android phone, and that's it.

    I don't think I'd trust it...

    1. wobbly1

      Re: Test website

      I get the same message as you with all my defences in place . When I dropped them, the page still failed to detect the devices in question on my network and then produced the "AW Snap" page in chrome. It is probable/ possible you are running protection software that objected to the javascript on the page . That is a different matter to being vulnerable to the dns rebind problem. If a dose is left on a page you allow to run scripts you and i still don't know if we are vulnerable.

      1. GnuTzu Bronze badge
        Stop

        Re: Test website -- Confirm with Other Tests

        Might want to run network scans with nmap or such just to be sure that you don't have devices that might look like those other things. Scanners are often not precise in their ability to identify specific products, it might be wise to scan your subnets to identify any unexpected IP address use.

    2. Pete 2 Silver badge

      Re: Test website - same here

      > I don't think I'd trust it...

      I got the same.

      Since I can't tell about the technical accuracy of the author's claims, all I can do is form an opinon on the stuff I can verify. Since his code failed that verification I will form the conclusion that his other claims are of a similar quality.

      That may well be incorrect, but I am not prepared to believe someone who has been shown to be wrong on what I can discover for myself.

  2. eldakka Silver badge

    > "They inherently trust other machines on the network in the same way that you would inherently trust someone you’ve allowed into your home."

    He obviously moves in trustworthy circles or something. Some people I've let into my home I don't allow out of my sight while they are in it - I'll even show them where the toilet is rather than giving them directions...

    1. I3N
      Coat

      Do we have ...

      ... the same family?

  3. John Geek

    its scanning a subnet I don't even use, 192.168.1.0/24, wtf ? my home stuff is all on 192.168.0.0/24

    1. Claptrap314 Bronze badge

      My ISP-provided subnet is on 192.168.0. Mine is .57. Not immune, but not gonna but heads with the ISP .0 or .1 either.

      1. GnuTzu Bronze badge
        Alert

        "its scanning a subnet I don't even use" -- ISP Routable?!?!?!

        Seems it's guessing what subnets are available, as it likely is unable to query that information. But, those subnets are technically not route-able on the Internet. I would be very disappointed--though not surprised--if ISP routers let those scans out into other networks served by the ISP!!!!!!!!!!!!!!

    2. Packet

      Apologies in advance, but I have to ask - is your service provider modem also a 'gateway' providing gateway services?

      Or is it in bridge mode?

      Hint: If it's got an IP you can connect to, it's most likely not in bridge mode and you're possibly doing double NAT

  4. Zog_but_not_the_first Silver badge
    Facepalm

    Er,

    Google Home IPs finished/started: {{googleHome.finishedIps.length}}/{{googleHome.startedIps.length}}

    Roku IPs finished/started: {{roku.finishedIps.length}}/{{roku.startedIps.length}}

    Radio Thermostat IPs finished/started: {{radioThermostat.finishedIps.length}}/{{radioThermostat.startedIps.length}}

    Phillips Hue bridge IPs finished/started: {{phillips.finishedIps.length}}/{{phillips.startedIps.length}}

    Sonos speaker IPs finished/started: {{sonos.finishedIps.length}}/{{sonos.startedIps.length}}

    Nope.

    Continue the research.

    1. wayne 8

      Re: Er,

      Looks like a poorly constructed web app.

      The app's author might have never tested the app on a network without any such devices.

      What information did the web site import or export from my system?

      El Reg, did you verify that the site was benign?

  5. Anonymous Coward
    Anonymous Coward

    I wonder if this could work on a smartphone running a dnla server or SSDP?

    https://android.stackexchange.com/questions/68169/ever-since-connecting-to-a-chromecast-my-device-floods-the-network-with-ssdp-pa

    I've seen something similar when running tcpdump on an Android device:

    HOST: 239.255.255.250:1900\r\n

    MAN: "ssdp:discover"\r\n

    MX: 2\r\n

    ST: roku:ecp\r\n

    1. Mage Silver badge

      Re: I wonder if this could work on a smartphone running a dnla server or SSDP?

      I don't allow DNLA, SSDP, uPNP etc here.

  6. Mage Silver badge

    Seemed to scan correctly here

    Also illustrates why you want uMatrix + Firefox on phone, tablet, PC. DNS drive-by poisoning can use browser too.

    Obviously Javascript needed.

    Do always change default passwords on Admin pages and WiFi SSIDs.

    §

    Google Home IPs finished/started: 0/0

    Roku IPs finished/started: 0/0

    Radio Thermostat IPs finished/started: 0/0

    Phillips Hue bridge IPs finished/started: 0/0

    Sonos speaker IPs finished/started: 0/0

    §

    I don't intend to have any of that. Nor Amazon Echo or Dot. Also no uPNP. Nothing with Android TV on it connected. No intention of IP based/BT cameras or security or locks.

  7. This post has been deleted by its author

  8. AMBxx Silver badge
    Joke

    Would be a great way to infect lots of people

    Publish an article on el-reg that links to a webpage that then infects vulnerable devices on your network.

    Genius.

    1. GIRZiM Bronze badge

      Re: Would be a great way to infect lots of people

      's why I've never availed myself of the opportunity to go to a random website and see if my account/password has been pwned in the latest HUGE USER CREDENTIALS GIVEAWAY! ONLY SIX MONTHS LEFT!

      It's easier just to look at the reports on what's been hit this time and think "Yep, I was right all along - thank goodness I had the good sense to stick to my guns and never created an account with them, no matter how many people kept telling me how amazing life would be with yet another one."

    2. wayne 8

      Re: Would be a great way to infect lots of people

      May not be a joke.

  9. stungebag
    Unhappy

    Where's my Synology?

    The scane never completed when I tried it in Firefox, but my NAS went offline. A restart later and it still isn't back. Now to try a network reset. I'm not happy.

  10. Astara

    No sign of intelligent life....

    claimed to contact several devices -- none of which I have (similar to poster at top)

    Scanning {{ips.length}} IP addresses from {{startIp}} to {{endIp}}

    Google Home IPs finished/started: {{googleHome.finishedIps.length}}/{{googleHome.startedIps.length}}

    Roku IPs finished/started: {{roku.finishedIps.length}}/{{roku.startedIps.length}}

    Radio Thermostat IPs finished/started: {{radioThermostat.finishedIps.length}}/{{radioThermostat.startedIps.length}}

    Phillips Hue bridge IPs finished/started: {{phillips.finishedIps.length}}/{{phillips.startedIps.length}}

    Sonos speaker IPs finished/started: {{sonos.finishedIps.length}}/{{sonos.startedIps.length}}

    ---

    Don't have any of those.

    Then it said:

    The DNS Rebind attack was successful and a device has been found on your network. Your browser has been tricked into violating the Same-Origin Policy and HTTP requests have been made to interact with a device on your local network. The information below has been exfiltrated from your device and sent to a remote server that you do not control.

    {{d}}

    -----

    OMG!!! It sent {{d}}....NOT THAT... I've been pwnd!

    Maybe he need a bit more testing on his proof of concept...

    1. Packet

      Re: No sign of intelligent life....

      I got the exact same message on mine...

  11. Colonel Mad
  12. david 12 Bronze badge

    192.168.1.xxx

    "I’ve authored a proof-of-concept exploit that you can use to target these devices on your home network today. That demo is live at http://rebind.network."

    The proof of concept exploit is hardcoded to 192.168.1.1/24. He should have mentioned that, and if he had, perhaps The Registers might have mentioned it -- no point expecting journalists to be subject experts in this day and age :(

    I'm not on a 192.168.1.1 network, and I don't have any of the devices mentioned. so no further comment. His arttcle looks interesting though, perhaps somebody who knows what they are talking about will comment on that.

    1. wayne 8

      Re: 192.168.1.xxx

      Ah, the beauty of Virtual Machines. My VMs run on 10.42.0.xxx

      That could be why it spazzed out.

    2. Michael Wojcik Silver badge

      Re: 192.168.1.xxx

      The proof of concept exploit is hardcoded to 192.168.1.1/24. He should have mentioned that, and if he had, perhaps The Registers might have mentioned it

      The article does now mention it. I'm assuming that's an edit, since a number of people complained.

      Personally, I'm far more worried that nearly all the responses here are about the proof-of-concept rather than the actual problem. Those who do not understand DNS Rebinding are doomed to remain vulnerable to it.

      Of course, that's what happens when you make typical consumers de facto network administrators. It's not reasonable to expect even most people in the IT industry to be aware of and understand all these vulnerabilities; most people simply don't have that luxury, even if they had the inclination. The onus has to be on the manufacturers of these IDIOT1 devices and the infrastructure2 they rely on.

      1Internet of Dumb and Inappropriately Online Things.

      2Including poorly-designed protocols like SSDP and crap devices like consumer-grade routers.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019