By Ben Seri, VP of Research
- Recent reporting showed how DNS rebinding leaves IoT and unmanaged devices vulnerable to attacks in the home.
- Armis has identified that enterprises are even more exposed, as almost half a billion of these devices are used in the workplace (including IP phones, printers, networking equipment, and cameras).
- These devices put enterprises at risk for attacks, data exfiltration, and take-over for a Mirai-like attack.
Tip of the Iceberg
The reports over the last few weeks of the DNS Rebinding vulnerability impacting millions of IoT devices in the home was just the tip of the iceberg. Armis has found that the issue impacts hundreds of millions of IoT and other unmanaged devices used inside almost every enterprise. From smart TVs to printers, digital assistants to IP phones and more, the exposure leaves organizations vulnerable to compromise, data exfiltration, and to devices getting hijacked for another Mirai-like attack.
DNS Rebinding Attacks Explained
DNS rebinding takes advantage of a nearly decade-old flaw in web browsers that allows a remote attacker to bypass a victim’s network firewall and use their web browser as a proxy to communicate directly with vulnerable devices on the local network. An example of a vulnerable device is one that is running an unauthenticated protocol like Universal Plug and Play (UPnP) or HTTP (used on unencrypted web servers). These protocols are commonly used to host administrative consoles (for routers, printers, IP cameras) or to allow easy access to the device’s services (for example, streaming video players), and are pervasive in businesses.
Vulnerabilities Are Everywhere
The Armis research team found that large enterprises are very exposed to DNS rebinding attacks. In fact, the majority of manufacturers who make commonly used IoT devices within enterprise environments ship devices that are vulnerable to a DNS rebinding attack. Using data from Armis’ Device Knowledgebase, which includes over 5 million device behavior profiles, our researchers identified the devices, manufacturers, and estimated number of vulnerable devices worldwide in the enterprise – nearly half a billion devices (496 million by our count).
% of devices impacted by manufacturer and estimated global enterprise exposure
Breakdown of vulnerable device types within the Armis customer database
Enterprises Are At Risk
Because of the widespread use of the types of devices listed above within enterprises, Armis can say that nearly all enterprises are susceptible to DNS rebinding attacks.
Just this week, Cisco Systems is issuing software updates to tackle a high-risk vulnerability in several VoIP phone models. This vulnerability could allow a remote attacker to perform a command injection and execute commands with the privileges of the web server. This is the type of scenario that can be leveraged via a DNS Rebinding attack.
Printers were also identified in our research. Unfortunately, printers are one of the least managed, most poorly configured devices in the enterprise. Aside from adjusting basic network configurations, enterprises typically deploy printers with default settings, making them an ideal target for a DNS rebinding attack. Once compromised, printers can be a vector through which an attacker:
- Exfiltrates information by downloading documents scanned, stored, or cached on the printer
- Launches a larger attack within the enterprise, similar to how an attacker used a fish tank thermostat to exfiltrate 10 GB of data from a casino in North America to a remote server in Finland.
How It Works
For anybody who thinks IoT and unmanaged devices are safe because they sit behind a firewall, this is not the case. DNS rebinding manipulates the trust model between browsers and the outside world, effectively allowing a remote attacker to compromise IoT devices just as if the attacker were already on the internal network. Here’s how a DNS rebinding attack works:
Step 1: Leverage the user’s browser.
Step 2: Scan the local network to detect the presence of a particular type of device (e.g., one of the devices listed in the table above along with its IP address).
- Then, the browser sends the results back to the malicious website.
Again, since all of this activity appears to be normal end-user communication from the perspective of the firewall, it does not block any of the traffic.
Step 3: Access the IoT device
- The malicious website sends an appropriate set of commands to the end-user’s browser — for example, commands to log into the HTTP web server of a security camera on the internal network.
- Using DNS rebinding, the browser sends those commands directly to the IP address of the IoT device inside the private network.
The command that the browser sends can control the IoT device, compromise the device, or extract information such as unique identifiers and Wi-Fi access point SSIDs. Since all of this traffic is between the browser on the end-user’s laptop or desktop and the IoT device, the firewall never sees this traffic and thus, it can’t block any of it.
Manufacturers of IoT devices typically assume that other devices on the same network are trusted. Thus, the devices ship with open, unencrypted services like HTTP and trust the malicious commands executed by the local end-user’s browser in this phase of the attack.
Step 4: Establish an outbound connection to a C&C server, directly from the compromised IoT/unmanaged device.
The firewall typically considers outbound connections to be safe, so this connection is not scrutinized or blocked by the firewall in the same way that an inbound connection would be. The firewall is working exactly as it was designed, and exactly how it’s configured. Still, the attacker is now inside the network with a persistent presence.
What to do next
Short of redesigning how browsers and DNS servers work, there are some steps you can take to protect your organization from a DNS rebinding attack taking over IoT and unmanaged devices:
- The fastest and easiest solution is to begin monitoring all devices immediately – especially unmanaged devices – for signs of a breach. You probably have agents installed that monitor your managed computers, so your visibility gap is with your unmanaged or IoT devices. Platforms like Armis can detect when one of your IoT devices behaves oddly, which could indicate that it has been compromised, like in Step 2 or 4 of a DNS rebinding attack. (See graphics above.)
- Inventory all your IoT devices and identify which ones belong to different network segments so they can’t be discovered or compromised using a DNS rebinding attack. Not all devices can be moved to a different segment, but the more you can move, the better. Here again, Armis can help. It discovers and classifies every device in your enterprise environment, and tells you which network segment each device is on.
- Perform a risk analysis of each of your IoT devices. Some devices are riskier than others. Some devices have easily attackable interfaces such as HTTP servers, and some don’t. Rather than do this risk assessment manually, look for an automated way to assess all devices at once. Armis has a device knowledgebase which includes five million device behavior profiles. As Armis builds an inventory of devices in your environment, it computes a risk score for each device based on thirteen different criteria. That lets you prioritize your efforts to segment the devices, patch them, etc.
- Make your IoT devices less vulnerable, for example by disabling services you don’t need such as UPnP, changing the password to each device’s HTTP server, and updating device software whenever possible. However, doing so can be time-consuming, especially if you have 100 different types of IoT devices. That’s at least 100 different configurations to change and 100 different software updates to manually download and apply to each device.
1 Device manufacturers seen and analyzed by the Armis platform that make vulnerable device(s) in this category.
2 Conservative Armis estimates for the number of these devices in the enterprise today, based on a variety of publicly available market data sources.
3 Devices listed are described as follows, none of which have an onboard security agent:
- IP Phone – IP-based desk phones
- Printer – Corporate printers
- Network equipment – access points, routers, or switches
- IP Camera – Typically security cameras
- Streaming Media Player – Chromecast, FireTV, Apple TV, etc.
- Video conferencing – IP-based conference room phones and speakers
- Smart TV – Connected monitors often running apps
- Conference phone – IP-based conference room phones and speakers
- HVAC control – Smart / connected thermostats
- Peripherals – UPS, lab equipment, KVM
- Point of Sales – Sales terminals, could be iPads
- Smart speaker – Amazon Echo, Google Home, Sonos, etc.