DNS rebinding is a little-known technique which has become an increasingly popular exploit. It can turn a victim’s browser into a proxy for attackers, who can change the IP address associated with a domain name after it has been used. It solves a way for attackers to operate behind a network firewall or DHCP server without any restrictions, and users could inadvertently load malware because they think they are browsing a safe website when it isn’t.
Back when the web was relatively new, engineers decided to create what is called the same origin policy. This means that when your browser requests a page on a particular website, only resources that are located on that domain can be served back. That sounds good, until you bring DNS into the picture. DNS translates IP address numbers into the familiar domain names that we usually type into our browsers. The same origin policy was set up for these names, not for IP addresses. What if you could fool the browser into thinking that a malicious website was really using the same domain when it was actually using a different domain coming from a faulty DNS server? That is at the heart of DNS rebinding.
So who should worry? Virtually every model of Google Home, Chromecast, Sonos Wi-Fi speakers, Roku streaming devices, and some smart thermostats are vulnerable to this attack, and you could imagine numerous other IoT devices as well. This is a big deal. The attack isn’t so simple to implement, but it can be done and will become more popular.
This article from Craig Young at Tripwire explains how the attack works in theory. He says, “As of now, IoT attack campaigns have been quite successful attacking only publicly exposed devices, but it is only a matter of time before there is too much competition for this low-hanging fruit. Botnet operators will then seek out better techniques for reaching valuable targets on private corporate and home networks.” Young was the source of Brian Krebs story that I cited on Tuesday.
The technique has been around for a decade, but you probably haven’t heard of it (see one completely unscientific sample in the screenshot below). And more recently, a series of attacks have used it, such as Blizzard’s video games, the Transmission torrent client, and several Ethereum cryptocurrency wallets.
Both Dorsey and Young have been in touch with the major IoT device vendors, who say they are working on fixes. But what can you do to protect yourself in the meantime? First, reconfigure your home router with a better DNS source, such as OpenDNS or the Cloudflare 220.127.116.11 server. And make sure your browsers are at their most recent patch levels. If you are a developer, add host header validation to your web server. Finally, both Dorsey and Young’s posts have links to various testing tools that can be used to test your code for the vulnerability, along with Tavis Ormandy and his Simple DNS Rebinding Service.