It all started when programmer and artist Brannon Dorsey spent some of his free time on a retro web attack known as DNS rebinding. In his Chicago apartment, Dorsey taught himself how to exploit browser vulnerabilities and illegally access data and controls.
While online security experts have been poking at this type of security weakness for years, Dorsey was surprised at his findings and did what any amateur hacker would have done: attacked his own gadgets.
His experiment proved to be successful as Dorsey was able to gather data from his streaming devices and smart home gadgets with ease.
Dorsey admitted that while he was a technical person, he wasn’t exactly an information security professional.
He added that he just followed his curiosities and discovered the vulnerabilities, thinking, “I cannot be the only person in the world who is seeing this.”
He continued with his experiment on gadgets he borrowed from friends and discovered the DNS rebinding bug in almost all models of Google Home, Chromecast, Sonos speakers, Roku streaming devices, and several smart home thermostats.
While Dorsey’s trial attacks didn’t give him complete access to all of the data on the systems he infiltrated, he could still extract data from and gain control of the devices he tried to hack.
Millions of our everyday mobile devices are susceptible to a retro cyber attack
On Roku devices that had the 8.0 OS or older, Dorsey saw that an attacker could use the device’s external control API to manipulate buttons on the device, search content on the device, launch apps, and other functions.
On Sonos speakers, hackers could potentially access information on the Wi-Fi network the speaker is connected to, attaining network data and more.
On Google Chromecast and Google Home, hackers could apply system restarts on command, crippling them from functioning correctly. They could also steal Wi-Fi network information and hypothetically trace the devices’ locations.
During DNS rebinding attacks, hackers target vulnerabilities found on a browser’s web protocols. Through fraudulent websites they created, they can bypass trusts protections meant to block unauthorised actions from the network.
One wrong move from an unknowing user could lead to them unsuspectingly yielding control and access to their mobile device.
While this might seem like another full-blown tech nightmare, simple fixes like HTTPS connections or authentication protections could prevent possible hackings. This might also be why this type of cyber attack hasn’t gained much traction among hackers or security experts.
This does not mean that we shouldn’t pay attention as Google researchers have noticed similar vulnerabilities in Ethereum cryptocurrency accounts, Blizzard video games, and the Transmission BitTorrent client program.
Roku, Sonos, and Google have released or are currently working on patches that would make their devices safer to use.
Although this might be a bit of good news, experts still believe that they might not be enough as consumer awareness of the issue should be prioritised as well. Dorsey hopes that his research can aid in raising awareness about DNS Rebinding.
“DNS rebinding has become the elephant in the room… A ton of things are vulnerable to it and it’s become a systemic problem. So ultimately approaching vendors one at a time isn’t going to solve it. The whole industry needs to know to check for this and fix it,” Dorsey concluded.
While new online threats might seem to pop up every other week, Trend Micro Home Network Security can help you combat them. It provides protection for your connected home and smart devices, while also allowing you to manage and control your family’s devices from your mobile device.