In 2008, a presentation at the RSA conference revealed the existence of "DNS rebinding attacks," that used relatively simple tactics to compromise browsers; a decade later, Berkeley and Princeton researchers announced a paper on DNS rebinding attacks against consumer devices (to be presented at August's ACM SIGCOMM 2018 Workshop on IoT Security and Privacy), while independent researcher Brannon Dorsey published similar work.
Both the ACM paper and Dorsey's paper are at pains to point out that they had only investigated a small minority of the IoT vendors, and that there were probably a lot more products that were vulnerable to a decade-old attack.
They were right.
A new paper from Armis security reveals another half-billion IoT devices in corporate environments that can be taken over with DNS rebinding attacks: "87 percent of switches, routers and access points; 78 percent of streaming media players and speakers; 77 percent of IP phones; 75 percent of IP cameras; 66 percent of printers; and 57 percent of smart TVs."
Just a reminder: this is all ten years after DNS rebinding came to light.
1. The fastest and easiest solution is to begin monitoring all devices immediately – especially unmanaged devices – for signs of a breach. You probably have agents installed that monitor your managed computers, so your visibility gap is with your unmanaged or IoT devices. Platforms like Armis can detect when one of your IoT devices behaves oddly, which could indicate that it has been compromised, like in Step 2 or 4 of a DNS rebinding attack. (See graphics above.)
2. Inventory all your IoT devices and identify which ones belong to different network segments so they can’t be discovered or compromised using a DNS rebinding attack. Not all devices can be moved to a different segment, but the more you can move, the better. Here again, Armis can help. It discovers and classifies every device in your enterprise environment, and tells you which network segment each device is on.
3. Perform a risk analysis of each of your IoT devices. Some devices are riskier than others. Some devices have easily attackable interfaces such as HTTP servers, and some don’t. Rather than do this risk assessment manually, look for an automated way to assess all devices at once. Armis has a device knowledgebase which includes five million device behavior profiles. As Armis builds an inventory of devices in your environment, it computes a risk score for each device based on thirteen different criteria. That lets you prioritize your efforts to segment the devices, patch them, etc.
4. Make your IoT devices less vulnerable, for example by disabling services you don’t need such as UPnP, changing the password to each device’s HTTP server, and updating device software whenever possible. However, doing so can be time-consuming, especially if you have 100 different types of IoT devices. That’s at least 100 different configurations to change and 100 different software updates to manually download and apply to each device.
DNS Rebinding Exposes Half a Billion Devices in the Enterprise [Ben Seri/Armis]