Half a billion smart devices vulnerable to decade-old DNS rebinding attacks

If you use “smart” connected devices at your home or office, then those Internet of Things (IoT) devices are at risk of an attack that is nearly ancient in tech-years, as it has been around since 2007.

Previously this year, it came to light that Google Home, Roku, Sonos, Chromecast, smart home Radio Thermostat CT50 & CT80 and all Blizzard games were vulnerable to DNS rebinding attacks. Now IoT security vendor Armis warns that nearly half a billion “smart” devices are vulnerable to the decade-old DNS rebinding attack vector.

The vulnerabilities are “everywhere.” Due to the wide variety of about 496 million vulnerable devices – printers, smart TVs, streaming media players and speakers, IP cameras, IP phones, switches, routers and access points – Armis warned that “nearly all enterprises are susceptible” to DNS rebinding attacks, which give remote attackers a way to get around firewalls and gain access to vulnerable devices on a local network – devices that were never meant to be accessed by the public.

Armis, which sounded the alarm about the BlueBorne attack vector last year, explained that DNS rebinding attacks allow remote attackers “to bypass a victim’s network firewall and use their web browser as a proxy to communicate directly with vulnerable devices on the local network.” After an attacker creates a DNS server for a malicious domain and a victim is tricked into surfing to the site, or is exposed to a malicious ad banner on a legitimate site, the attacker can use the victim’s browser as a proxy to connect to internal network devices.

Vulnerable IoT devices

According to Armis, most manufacturers of IoT devices commonly used in enterprise ship devices that are vulnerable to the DNS rebinding attacks, which were first discovered 11 years ago. The vulnerable devices put enterprises “at risk for attacks, data exfiltration, and take-over for a Mirai-like attack.”

Armis said 165 million printers, or 66 percent, are vulnerable to DNS rebinding attacks. The company named Hewlett Packard, Epson, Konica, Lexmark, and Xerox as examples of representative manufacturers shipping vulnerable printers.

In addition, 160 million, or 75 percent, of IP cameras by manufacturers such as Axis Communications, GoPro, Sony, and Vivotek are vulnerable.

The firm identified that 124 million, or 77 percent, of IP phones are vulnerable; manufacturers include Avaya, Cisco, Dell, NEC, and Polycom.

About 28 million, or 57 percent, of smart TVs – Roku-integrated, Samsung, and Vizio – are vulnerable.

Looking at networking equipment, 14 million, or 87 percent, of switches, routers and access points are vulnerable; manufacturers include Cisco, Netgear, Extreme, Aruba, and Avaya.

And 5.1 million, or 78 percent, of streaming media players and smart speakers by Apple, Google, Roku, and Sonos are vulnerable.

Armis explained, “An example of a vulnerable device is one that is running an unauthenticated protocol like Universal Plug and Play (UPnP) or HTTP (used on unencrypted web servers). These protocols are commonly used to host administrative consoles (for routers, printers, IP cameras) or to allow easy access to the device’s services (for example, streaming video players), and are pervasive in businesses.”

One mitigation approach is to disable services such as UPnP, which are not needed, change device passwords, and keep firmware updated. If you have hundreds of devices, that could be a time-consuming nightmare. The fastest suggested approach is to monitor the devices for signs of breach; Armis has such a monitoring platform.