Thinking back to 2018, you may recall dozens of security headlines referring to this decade-old cyberattack known as DNS rebinding. Back in June, researcher and programmer Brannon Dorsey published his findings that described how common household IoT devices were found to all be vulnerable to DNS rebind attacks. Devices found to be vulnerable included the Google Home, Sonos WiFi Speakers, Roku, Radio Thermostats, and, you guessed it, wireless routers.
IoT devices in the enterprise and home found to be vulnerable to DNS rebind attacks
The news of these popular smart home devices being vulnerable to DNS rebinding shortly preceded findings by Armis, an enterprise IoT security company. Armis found that half a billion enterprise IoT devices were also exposed to this threat, further proving the severity of these attacks targeting both the enterprise and home networks.
Although many of these device manufacturers responded to the news by rolling out security patches, networks are still at risk of being exploited. These security patches most likely have to be manually applied, which is a difficult process for the end user, and one that they probably aren't even aware needs to happen. Other devices on the network could also still be vulnerable and the attacker may have already gained a foothold through a previous DNS rebind attack.
DNS rebind attacks have been prevalent for over a decade
DNS rebind attacks were first disclosed back in December 2007 by researchers at Stanford. In such an attack, the attacker is trying to attract users to their malicious website. The attack is carried out by malicious JavaScript code being executed in the user's browser once they reach the site. This allows the attacker to swap out its IP address with ones that are behind the user's firewall, thus gaining control of their devices and network.
Here's how the Minim platform protects against DNS rebind attacks
At Minim, we detect DNS rebind attacks against home networks and their connected devices. Back in October, Minim Engineer and security specialist Sam Stelfox shared a blog on how home networks are targeted by DNS rebinding. Here's Sam again, to talk about how Minim protects home networks from this threat:
DNS rebind attacks are usually intentionally transparent to the user as it is in an attacker's best interest to go undetected. From the network perspective though, these attacks are very visible and Minim-enabled routers are on the lookout for these types of attacks.
The most obvious signature that one of these attacks is occurring is when a public facing website returns a network address that isn't exposed to the public Internet. These private addresses are what devices on your home network use, and should only ever be used by other devices on your network— like when your Alexa or Google Home connects to your IoT light bulb to light up your living room.
The first step of our detection process is looking for these public responses containing private addresses. At this point, our cloud is notified of a potential DNS rebind attack. There are some legitimate, but rare, use cases for these responses however. So, at this stage, we can't be sure an attack is actually happening. We just start paying closer attention.
If the private address doesn't belong to a device on your network, then it won't be a security issue to you. However, it may provide us valuable details with how these types of attacks are being used on the Internet.
When the IP address does point at a device on your network, we watch for additional traffic between the device that received the response and the target. When a connection is made, depending on the target device, we can be fairly certain that an attack has taken place. At this point, we can now alert the user to the bad behavior.
At Minim, we are constantly improving our abilities to respond to both old and emerging threats that make home networks unsafe.
Interested in learning more about Minim?
