Internet of Things (IoT) devices aim to make home and office life easier, but also open those networks to a variety of attacks. On Tuesday, developer and researcher Brannon Dorsey uncovered an old network attack that could put many connected devices at risk of being controlled by a hacker, according to a Medium post.
The 10-year-old attack—called DNS rebinding—allows a remote attacker to bypass a victim’s network firewall, and use their web browser to communicate directly with devices on the private home or office network. If a user clicks a malicious link or banner advertisement, they could provide an attacker with access to their smart device, Dorsey wrote in the post.
Dorsey first attempted the attack on a smart thermostat, and soon after found that Google Home, Chromecast, Roku, Sonos speakers, and certain Wi-Fi routers and smart thermostats were all vulnerable to DNS rebinding.
SEE: Internet of Things policy (Tech Pro Research)
Dorsey has alerted each of these companies of his findings, and all are working on or have already released security patches, he noted in the post. However, it’s likely that many other devices are also at risk, as those were only the ones that he happened to test, Dorsey wrote.
“If companies with such high profiles are failing to prevent against DNS rebinding attacks there must be countless other vendors that are as well,” Dorsey wrote.
Consumers and business users can take certain steps to protect themselves against DNS rebinding attacks. In the post, Dorsey recommended OpenDNS Home, a free DNS service for your router that can be configured to filter suspicious IP addresses out of DNS responses. You can also use Dnsmasq or install libre router firmware like DD-RT on the router itself, though you may still be a target for these attacks if you are on a network that hasn’t been specifically configured to protect against them, Dorsey noted.
Developers should also take steps to build security into IoT devices, Dorsey said. “We need developers to write software that treats local private networks as if they were hostile public networks,” he wrote in the post. “The idea that the local network is a safe haven is a fallacy. If we continue to believe it people are going to get hurt.”
To see if your devices are vulnerable, you can test a proof-of-concept exploit that Dorsey created here.
The big takeaways for tech leaders:
- An attack called DNS rebinding allows a remote attacker to bypass a victim’s network firewall and use their web browser to control IoT devices on a private home or office network.
- Developers should build security into IoT devices from the start to prevent attacks.