DNS rebinding attack puts half a billion IoT devices at risk

Smart city and wireless communication network, business district with office building, abstract image visual, internet of things concept

Armis, an Internet of Things (IoT) security vendor and cyber-security firm, reports that about half a billion smart devices being used around the globe are vulnerable to a decade-old attack called DNS rebinding. It is the same firm that previously detected the presence of a BlueBorne vulnerability in the Bluetooth protocol.

The company published its research findings on 20 July in which it was estimated that nearly 496million IoT devices are vulnerable to DNS rebinding attacks. A majority of these devices are used by enterprises.

During the research, Armis assessed a wide range of enterprise devices so as to identify whether there was any risk associated that could allow attackers to gain access to a local network via manipulating the operations of the Domain Name Service (DNS).

What happens in DNS rebinding attack is that an attacker manages to expose a local private IP address and connects it to a public address. This way, the attacker can gain access to assets and resources that an organization does not allow public access to. The concerning aspect is that there is no need to have even one device that could be accessed over the internal organization network to successfully launch the attack.

When an attacker manages to create a local, malicious DNS server and tricks a user into accessing that server, usually through a phishing attack, it is possible for the attacker to use the victim’s web browser as a proxy. This would also allow an attacker to connect to all the devices over a network. Simply by making protected devices accessible over a public internet, an attacker can gain access to other vulnerable assets and can easily compromise them.

In order to limit the risk of such an attack, device manufacturers need to enable high-security measures on every single server that is accessible because it is not a practical approach to think that these devices will be used on internal networks only. Moreover, organizations need to ensure that the devices are regularly updated and patched, even if they are being used on the company’s internal network only.

Another productive option is to use a DNS security proxy or third-party DNS service to prevent DNS rebinding attacks. But this isn’t a very practically applicable method because most of the enterprises prefer to use their own local DNS servers.

“The fastest and easiest solution is to begin monitoring all devices immediately – especially unmanaged devices – for signs of a breach. You probably have agents installed that monitor your managed computers, so your visibility gap is with your unmanaged or IoT devices,” wrote Ben Seri of Armis.

Image credit: Depositphotos

Related Posts