Security researchers have warned that hackers could create webpages that rapidly scan for home IoT devices and then take control of them.
According to a paper to be presented at the ACM SIGCOMM 2018 Workshop on IoT Security and Privacy in August, security researchers Frank Li of UC Berkeley, and Gunes Acar, Danny Yuxing Huang, Arvind Narayanan, and Nick Feamster of Princeton University, have discovered a faster way of mounting an old attack method, known as DNS rebinding.
A DNS rebinding attack happens when a user visits a webpage that contains a malicious script and remains on the page long enough for the script to be run in its entirety. Such attacks typically fail if a user navigates away before the attack has finished, as it takes a minute to run and most users visit webpages for less than 15 seconds.
However, the security researchers have developed a much faster version of this attack that only takes around ten seconds to discover and attack local IoT devices.
“Furthermore, our version assumes that the attacker has no prior knowledge of the targeted IoT device’s IP address,” added the researchers.
Malicious scripts
For this attack to work, a victim needs to visit a website that contains a malicious script while using their home network. The malicious JavaScript may be embedded by the website owner or served by an ad. The attack runs in two stages.
The first has a malicious script scanning local IP addresses. At the end of this stage, the attacker detects whether the victim has a particular device (e.g. Google Home or Chromecast), along with the IP address of the device. This takes about seven seconds.
The second stage sees the malicious script attempt to perform DNS rebinding using Jaqen for each identified device. Once the DNS rebinding is complete, the attacker can send commands to control the IoT device or extract personal information, such as unique identifiers and WiFi access point BSSIDs (which can be used to gather the precise geolocation of the user).
Researchers said that the attack is not limited to Google devices, as other devices could also be attacked in this way, including a smart switch, a smart TV, and two network cameras. The researchers disclosed the vulnerabilities to the respective vendors in April.
“We plan to publicly disclose the details of these vulnerabilities at the end of the standard 90-day vulnerability disclosure period,” said the researchers.
Internet of Business says
The researchers said that the problem can be mitigated in a number of ways. IoT manufacturers can validate the host headers of incoming HTTP requests. DNS providers or ISPs use dnswall or similar software to filter out private IP addresses from DNS replies.
Home users can use ad-blockers or tracking protection extensions to block malicious ads. “Also certain OpenWRT-based routers can filter private IP addresses in DNS replies,” said the security team.
However, they warned that past attempts to mitigate DNS rebinding in the browser broke some Web services and led to new security vulnerabilities.
“We believe that a browser-based defence remains as an open research problem,” they said.