Decade-old attack can pwn Google Home, Chromecast, Sonos and Roku

[Matrix]

These devices are vulnerable to DNS rebinding attacks that could allow attackers to get your geographic location, gather recon for future attacks, or remotely control the devices.

While DNS rebinding attacks have been around for over a decade, two different researchers started poking around in the attack vector and discovered that Roku streaming devices, Sonos wireless speakers, smart home thermostats, Google Home, and Chromecast were all vulnerable and can all be pwned via DNS rebinding attacks.

First up is research from programmer Brannon Dorsey.

Excited to finally share this research publicly!

TL;DR Following the wrong link could allow remote attackers to control your WiFi router, Google Home, Roku, Sonos speakers, home thermostats and more ?https://t.co/UgJbTalDeL

— ☠️ Brannon Dorsey ? (@brannondorsey) June 19, 2018

“By using a victim’s web browser as a sort of HTTP proxy, DNS rebinding attacks can bypass network firewalls and make every device on your protected intranet available to a remote attacker on the Internet,” Dorsey explained on Medium.

Every device that I got my hands on fell victim to DNS rebinding in one way or another, leading to information being leaked, or in some cases, full device control. Google Home, Chromecast, Roku, Sonos WiFi speakers, and certain smart thermostats could all be interfaced with in some way by an unauthorized remote attacker.

On top of releasing details about his research, Dorsey published the DNS Rebind toolkit on GitHub, as well as a proof-of-concept exploit to target devices on your own home network (http://rebind.network).

Roku vulnerability 

When it comes to Roku, Dorsey found a HTTP server running on port 8060 and that “Roku’s External Control API provides control over basic functionality of the device, like launching apps, searching, and playing content. Interestingly, it also allows direct control over button and key presses like a virtual remote, as well as input for several sensors including an accelerometer, orientation sensor, gyroscope and even a magnetometer.” The local API required no authentication and was vulnerable to DNS rebinding.

Roku, according to Dorsey, originally claimed DNS rebinding did not put customers or the Roku platform at risk. After later acknowledging it was a valid threat, Roku said it could take three to four months to develop a patch. After Dorsey said the research would quickly be released to the public, Roku developed a patch by the next morning. The firmware update with the patch has started rolling out to 20 million devices.

Sonos vulnerability

Not only could a remote attacker change the content of what you are listening to via Sonos Wi-Fi speakers, they could also use the Sonos device as a pivot point, gathering recon about your network that could be used for a follow-up attack.

[ Prepare to become a Certified Information Security Systems Professional with this comprehensive online course from PluralSight. Now offering a 10-day free trial! ]

Sonos released this statement: “Upon learning about the DNS Rebinding Attack, we immediately began work on a fix that will roll out in a July software update.”

 

Radio Thermostat CT50 & CT80 vulnerabilities

These relatively inexpensive “smart” thermostats are also vulnerable to DNS rebinding bugs, meaning remote attackers could control your thermostat. Dorsey’s PoC will extract basic info from the device before setting the temperature to 95 degrees. Sadly, the company opted not to respond to Dorsey’s disclosure. That is unsurprising considering the company never responded and never fixed the no authentication vulnerability that was reported in 2013.

Google Home and Chromecast vulnerabilities

They say great minds think alike; both Dorsey and Tripwire researcher Craig Young were independently looking into how Google Home and Chromecast were vulnerable to DNS rebinding attacks.

Dorsey put it like this:

Imagine a scenario where you’re browsing the web and all of a sudden your Google Home factory resets. What if your roommate left their web browser open on their laptop and an HTML advertisement sends your Chromecast into reboot loops while you are trying to watch a movie? One of my favorite attack scenarios targeting this API is an abuse of the WiFi scanning capability. Attackers could pair this information with publicly accessible wardriving data and get accurate geolocation using only your list of nearby WiFi networks. This attack would be successful even if you’ve disabled your web browser’s geolocation API and are using a VPN to tunnel your traffic through another country.

He reported the vulnerability in March and again in April after receiving no response from Google.

Meanwhile, Young had also determined that Google Home and Chromecast were vulnerable to DNS binding and could reveal your location.

Young told Brian Krebs the attack relies on asking the Google device what other wireless networks are nearby and then gets geolocation for those devices.

“An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Google Chromecast or Home device,” Young told KrebsOnSecurity. “The only real limitation is that the link needs to remain open for about a minute before the attacker has a location. The attack content could be contained within malicious advertisements or even a tweet.”

Young blame the leak of location data on poor authentication by the Google devices. He warned that the bug could be abused by scammers for phishing or extortion attacks, telling Krebs, “Common scams like fake FBI or IRS warnings or threats to release compromising photos or expose some secret to friends and family could abuse Google’s location data to lend credibility to the fake warnings.”

On Tripwire, Young added:

 

Browser extensions and mobile apps can use their unrestricted network access to directly query the devices without relying on or waiting for a DNS cache refresh. This gives advertisers a direct path to obtain location data without alerting the end-user. The location data can then be correlated with other tracked web activity and possibly tied to a specific real-world identity.

As mentioned previously, Google opted not to respond when Dorsey reported the vulnerabilities. When Young tried in May, Google replied to the bug report with “Status: Won’t Fix (Intended Behavior).” However, when Brian Krebs got involved and contacted Google, the company then said it intends to deploy an update in mid-July to fix the privacy leak in both devices.

source