Armis Security, the firm that discovered the BlueBorne vulnerabilities in the Bluetooth protocol in 2017, released a blog analyzing IoT device susceptibility to DNS rebinding attacks. The bad news: nearly half a billion devices are vulnerable. Worse: Patches are unlikely to be developed. Worse still: Most of these IoT devices are treated like appliances and aren’t touched until they fail.
What is a DNS rebinding attack?
A DNS rebinding attack occurs when an attacker manipulates the DNS trust model to their advantage. When a user visits a website under the attacker’s control (usually through phishing emails or instant messages), the user’s browser is fed malicious code. This code issues HTTP requests that, manipulated through DNS rebinding, direct queries to addresses on the user’s local network. The attacker can use the victim’s browser as a proxy to communicate with the private network, enumerate devices and send commands.
IoT devices see commands coming from the victim’s computer on the local network and will allow access to management pages. The attacker gains access to these devices by using default passwords and exploiting vulnerabilities in software. Once the attacker has control of the device they can initiate connections outside the network, bypassing NAT and common firewall security measures. These compromised devices can be used to attack laterally on the network.
Armis has a great, short video on YouTube explaining the flow of the attack:
An attacker got into my IP camera… so what?
With a foothold on the network and persistence established in multiple locations, the attacker can do just about anything they want on the network. IoT devices are treated like appliances but are actually low-power Linux boxes attached to cameras, microphones, door locks, kitchen appliances… and your network. The same network your file server with your engineering files and financial data.
A short list of possibilities:
- Add members to a botnet. Your dozens of IoT devices may have low power but can still push packets out and amplification attacks help them punch above their weight as part of a DDoS attack.
- Hijack devices to perform reconnaissance. Security cameras and smart locks are designed to make you more secure but can only so when under your control. An attacker could hijack security feeds to establish employee patterns and support more damaging attacks. For example, consider this: when does your company take deposits to the bank? When does the IT staff knock off for a long weekend? Can your PTZ camera zoom close enough to see access codes entered into a keypad?
- Pivot to other network devices. A compromised device on the network can be used to attack servers that are protected from internet traffic. Yes, access to that crusty Accounting Department box running Server 2003 is forbidden from the internet but what about the SMB shares for reports?
That’s bad but I would literally die without my IoT. What do I do?
There are a few relatively simple steps that can be taken to vastly improve the state of IoT security on your network. We know that these devices aren’t updated regularly (if ever) and we know they often aren’t actively managed or monitored.
- Monitor egress traffic and apply rules to prevent unintended outbound communication. If an IoT device is compromised through a DNS rebinding attack but outbound communication is blocked at the network edge you’ve prevented your device from being a productive botnet member. By monitoring egress logs you would see connection attempts and be able to respond to the compromised device.
- Isolate IoT devices on their own network segment, virtually or physically. By implementing VLANs and restricting access between networks you can limit the damage a compromised IoT device can do. Blocking lateral movement will help protect assets that may be vulnerable to attacks from the local network. For anyone who played the “I’m not touching you” game in the back of the family minivan the answer is clear: Captain’s Chairs for your network.
- Monitor IoT devices, keep them up to date and don’t buy the cheapest solution. In IoT, you get what you pay for. Those no-name cameras offer a low entry cost but don’t include the support you receive from established, market-leading companies. Your upfront savings will be obliterated in the face of lost IP, stolen PII, bandwidth consumed and IT staff hours spent remediating the problem. You must also keep tabs on your IoT devices: is anyone reviewing the camera footage? Is one camera angling for a better shot of the back office housing the safe? What about the server room?
IoT promises so much – convenience, security, intelligent devices. Unfortunately, they can’t – and shouldn’t – be trusted on the same network as the servers that house your critical files or the workstations your users depend on to get work done. Think about the smartphone revolution… it’s 2018 and most mobile devices are supported for a few years at best. What’s the refresh cycle on your security cameras?
Taking a few simple architectural steps at the network level, monitoring network egress traffic, locking down outbound communication and checking in on IoT devices regularly can vastly improve the security posture of your network and limit damage caused by compromised devices. The IoT industry will mature over time and standards for patching and security will emerge. Until then, Trust No One.