Headline
CVE-2018-11314: Millions of Google, Roku, and Sonos Devices Are Vulnerable to a Web Attack
The External Control API in Roku and Roku TV products allow unauthorized access via a DNS Rebind attack. This can result in remote device control and privileged device and network information to be exfiltrated by an attacker.
In March, artist and programmer Brannon Dorsey became interested in a retro web attack called DNS rebinding, teaching himself how to illicitly access controls and data by exploiting known browser weaknesses. It’s a vulnerability that researchers have poked at on and off for years—which is one reason Dorsey couldn’t believe what he found.
Sitting in his Chicago apartment, two blocks from Lake Michigan, Dorsey did what anyone with a newfound hacking skill would: He tried to attack devices he owned. Instead of being blocked at every turn, though, Dorsey quickly discovered that the media streaming and smart home gadgets he used every day were vulnerable to varying degrees to DNS rebinding attacks. He could gather all sorts of data from them that he never would have expected.
“I’m technical, but I’m not an information security professional,” Dorsey says. “I didn’t reverse any binaries or do any intense digging. I just followed my curiosities and suddenly I found some sketchy shit. I was just sitting there thinking 'I cannot be the only person in the world who is seeing this.’”
Between his own gadgets and borrowing others from friends, Dorsey found DNS rebinding vulnerabilities in virtually every model of Google Home, Chromecast, Sonos Wi-Fi speakers, Roku streaming devices, and some smart thermostats. Dorsey’s experimental attacks, which he outlined in research published Tuesday, didn’t give him full keys to the kingdom, but in each case he could gain more control and extract more data than he should have been able to.
For example, on Roku devices running Roku OS 8.0 or lower, Dorsey found that an attacker could use the streamer’s External Control API to control buttons and key presses on the device, access the inputs for device sensors like the accelerometer, gyroscope, and magnetometer, search content on the device, and even launch apps. On Sonos Wi-Fi speakers, an attacker could access extensive information about the Wi-Fi network a speaker is connected to, useful for mapping out network attributes and broader recon. And by attacking the public API in Google’s connected devices, an hacker could trigger Google Home and Chromecast restarts at will. That result in essentially a denial of service attack, keeping users from being able to interact with their device, or sending it offline at strategic times. Attackers could also get Google Home and Chromecast to cough up information about the Wi-Fi network they are connected to, and triangulate it with the list of nearby Wi-Fi networks to accurately geolocate the devices.
In a DNS rebinding attack, a hacker capitalizes on weaknesses in how browsers implement web protocols. They craft malicious websites that can game the trust protections meant to block unauthorized communication between web services. From there, an attacker uses methods like phishing or malvertising to trick victims into clicking a link to their site, and then moves to illicitly access whatever controls and data are exposed on their device or network. One wrong click or tap and and attacker could take over your smart device.
Though DNS rebinding stems from some fundamental issues with how browsers mediate trust relationships online, sites and services can also limit their exposures using relatively simple mechanisms like authentication protections or HTTPS encrypted connections. This may be why this class of attacks hasn’t generated sustained interest or concern among security professionals.
But over past seven months, there has been a growing understanding in the security community that DNS rebinding bugs may represent a much larger group of vulnerabilities than people have previously acknowledged. Google Project Zero researcher Tavis Ormandy recently found DNS rebinding vulnerabilities in the Transmission BitTorrent client and the update mechanism for Blizzard video games, and researchers have also discovered the bugs in various Ethereum wallets—potentially exposing people’s cryptocurrency.
DNS rebinding bugs have a “history of being dismissed by developers, and many times it is left as an unaddressed issue,” Ariel Zelivansky, a researcher at the security firm Twistlock, wrote in a prescient February warning about the rise of DNS rebinding vulnerabilities.
In the months that Dorsey was looking into the topic, another researcher from the security firm Tripwire, Craig Young, also discovered the bug in Google Home and Chromecast, and published his findings on Monday.
One root cause of these vulnerabilities is that devices on the same Wi-Fi network generally trust each other, since they’ve all been admitted to the same club. But this assumption can lead to accidental exposures. Communication channels meant for use by other devices on a network can potentially also be maliciously accessed by remote websites with just a small amount of manipulation. Many of the bugs Dorsey found could be solved by adding basic authentication mechanisms to device APIs.
“This reflects an issue in a fundamental feature of the internet as it’s been designed,” says Joseph Pantoga, a research scientist at the internet of things security firm Red Balloon. “DNS rebinding attacks have been brought up many times in the past, but new features in Internet of Things devices including geolocation and collection of personal data make it something people should really be aware of. The problem is exacerbated by IoT devices having APIs intended for communication with other, unauthenticated devices on the network.”
Google, Roku, and Sonos have all patched or are in the process of patching their device operating systems to plug the vulnerabilities Dorsey described. “After recently becoming aware of the DNS Rebinding issue, we created a software patch which is now rolling out to customers," a Roku spokesperson told WIRED. Sonos similarly added that, "Upon learning about the DNS Rebinding Attack, we immediately began work on a fix that will roll out in a July software update.” Google said in a statement that, “We’re aware of the report and will be rolling out a fix in the coming weeks.”
Despite the positive response, experts note that lack of awareness about avoiding these bugs in the first place has led to a situation in which millions and millions of devices are known to be vulnerable to some degree, with millions more likely vulnerable as well. Dorsey says that he hopes his research raises awareness about the ubiquity of the problem. “DNS rebinding has become the elephant in the room,” he says. “A ton of things are vulnerable to it and it’s become a systemic problem. So ultimately approaching vendors one at a time isn’t going to solve it. The whole industry needs to know to check for this and fix it.”
More Great WIRED Stories
- The hustlers fueling cryptocurrency’s marketing machine
- This elite Microsoft hacker team keeps Windows PCs safe
- The brilliant vigilance of Seattle’s gargantuan new tunnel
- A new era of Frankensoftware is upon us
- PHOTO ESSAY: Inside the Arctic Circle, golden hour has nothing on golden day
- Get even more of our inside scoops with our weekly Backchannel newsletter