The reports over the last few weeks of the DNS Rebinding vulnerability impacting millions of IoT devices in the home was just the tip of the iceberg. Armis has found that the issue impacts hundreds of millions of IoT and other unmanaged devices used inside almost every enterprise. From smart TVs to printers, digital assistants to IP phones and more, the exposure leaves organizations vulnerable to compromise, data exfiltration, and to devices getting hijacked for another Mirai-like attack.
DNS rebinding takes advantage of a nearly decade-old flaw in web browsers that allows a remote attacker to bypass a victim’s network firewall and use their web browser as a proxy to communicate directly with vulnerable devices on the local network. An example of a vulnerable device is one that is running an unauthenticated protocol like Universal Plug and Play (UPnP) or HTTP (used on unencrypted web servers). These protocols are commonly used to host administrative consoles (for routers, printers, IP cameras) or to allow easy access to the device’s services (for example, streaming video players), and are pervasive in businesses.
The Armis research team found that large enterprises are very exposed to DNS rebinding attacks. In fact, the majority of manufacturers who make commonly used IoT devices within enterprise environments ship devices that are vulnerable to a DNS rebinding attack. Using data from Armis’ Device Knowledgebase, which includes over 5 million device behavior profiles, our researchers identified the devices, manufacturers, and estimated number of vulnerable devices worldwide in the enterprise – nearly half a billion devices (496 million by our count).
% of devices impacted by manufacturer and estimated global enterprise exposure
Breakdown of vulnerable device types within the Armis customer database
Because of the widespread use of the types of devices listed above within enterprises, Armis can say that nearly all enterprises are susceptible to DNS rebinding attacks.
Just this week, Cisco Systems is issuing software updates to tackle a high-risk vulnerability in several VoIP phone models. This vulnerability could allow a remote attacker to perform a command injection and execute commands with the privileges of the web server. This is the type of scenario that can be leveraged via a DNS Rebinding attack.
Printers were also identified in our research. Unfortunately, printers are one of the least managed, most poorly configured devices in the enterprise. Aside from adjusting basic network configurations, enterprises typically deploy printers with default settings, making them an ideal target for a DNS rebinding attack. Once compromised, printers can be a vector through which an attacker:
For anybody who thinks IoT and unmanaged devices are safe because they sit behind a firewall, this is not the case. DNS rebinding manipulates the trust model between browsers and the outside world, effectively allowing a remote attacker to compromise IoT devices just as if the attacker were already on the internal network. Here’s how a DNS rebinding attack works:
Step 2: Scan the local network to detect the presence of a particular type of device (e.g., one of the devices listed in the table above along with its IP address).
Again, since all of this activity appears to be normal end-user communication from the perspective of the firewall, it does not block any of the traffic.
Step 3: Access the IoT device
The command that the browser sends can control the IoT device, compromise the device, or extract information such as unique identifiers and Wi-Fi access point SSIDs. Since all of this traffic is between the browser on the end-user’s laptop or desktop and the IoT device, the firewall never sees this traffic and thus, it can’t block any of it.
Manufacturers of IoT devices typically assume that other devices on the same network are trusted. Thus, the devices ship with open, unencrypted services like HTTP and trust the malicious commands executed by the local end-user’s browser in this phase of the attack.
Step 4: Establish an outbound connection to a C&C server, directly from the compromised IoT/unmanaged device.
The firewall typically considers outbound connections to be safe, so this connection is not scrutinized or blocked by the firewall in the same way that an inbound connection would be. The firewall is working exactly as it was designed, and exactly how it’s configured. Still, the attacker is now inside the network with a persistent presence.
Using DNS rebinding, the browser sends those commands directly to the IP address of the IoT device inside the private network.
Short of redesigning how browsers and DNS servers work, there are some steps you can take to protect your organization from a DNS rebinding attack taking over IoT and unmanaged devices:
Sign up to receive the latest news