Prevent DNS Rebinding Attacks by Configuring Your Router
Programmer (and artist ) Brannon Dorsey recently wrote a fascinating and rather technical article on the dangers of DNS rebinding . It’s worth reading if you have the slightest interest in how web browsers work to prevent one site – say, a fraudulent site – from sending a request to another site – your bank – and emptying your accounts or manipulating your credentials ( without the explicit permission of the site).
His research has mainly focused on how DNS rebinding could allow a malicious site (or the person behind it) to communicate with devices like your Google Home, Roku, smart thermostat or router, and many more. As far as the consequences go, you might not only be dealing with a website that makes your smart speaker play atrololo song :
The Radio Thermostat CT50 and CT80 devices have by far the most severe IoT device vulnerabilities I have found so far. These devices are among the cheapest smart thermostats available on the market today. I bought one to play with after CVE-2013–4860 reported it was not secure, saying the device has no form of authentication and can be controlled by anyone on the network. […]
This assumption turned out to be correct, and the thermostat control API left the door open to DNS re-bind shenanigans. It’s probably pretty obvious how much damage can be done if your building’s thermostat can be controlled by remote intruders. The PoC at http://rebind.network extracts some basic information from the thermostat before setting the target temperature to 95 ° F. This temperature can be dangerous or even fatal during the summer months for the elderly or people with disabilities. Not to mention, if your device becomes a target while on vacation, you could return home with a hefty amount of utility bill.
While a number of major Dorsey device manufacturers have asked us to provide some kind of patch or update to prevent DNS rebinding attacks from triggering, you should also take a few steps right now to block your (probably) insecure wireless router. As Dorsey says, “However, I should mention that so far I’ve mostly refrained from applying my DNS rebase research to routers … Mostly because I’m almost too scared to look.”
Change these settings on your router for more security.
If your router came with some kind of default login type for its web interface – which is probably not the case if you have a prettier mesh router that you configured with an app on your smartphone or tablet – this is what you want to change right now. You should have changed it already, because there is nothing more insecure than having a device that shares a username and password with any other device the company makes.
If you are typing “admin” and “admin” for the username and password when entering your router settings (either from the Internet or through the app) or something similar in common, change both of these parameters right now. Make them unique like “Routermaster81” and “password123jk” or something like that.
Now that you’re in your router’s settings menu, look for the UPnP section – this can be easily checked in your router’s main settings menu, or it could be an option that’s hidden somewhere in the advanced settings menu. Dig (or consult your router manual) to find out where it is, if it exists. And once you find it, consider disabling UPnP . As Dorsey writes:
“These UPnP servers provide administrative control over router configuration to any unauthenticated machine on the network via HTTP. Any computer on the network or the public internet through DNS rebinding can use IGD / UPnP to configure the router’s DNS server, add and remove NAT and WAN port mappings, view the number of bytes sent / received on the network, and access the router’s public IP (optional see upnp-hacks.org for information ). “
Certain software you are using, such as gaming services or BitTorrent clients, may require you to manually forward ports on your router in order for them to work efficiently. If you use one of them heavily, you might not want to trade security for convenience’s sake. And if you’re just using your laptop to browse the web and chat with friends, you probably don’t need to enable UPnP. Worse, you can always turn it back on if you find that its absence is causing you (or your favorite apps) a lot of grief.
Dorsey also suggests switching your router’s DNS to a service like OpenDNS instead of using your ISP’s DNS, since you can then use OpenDNS to filter out suspicious IP addresses from DNS responses.
Assuming you’ve gone through the process of opening a (free) OpenDNS account, configured your router to use it, and installed OpenDNS software (for Windows or macOS ), you’ll want to visit the OpenDNS settings page and click on your network’s IP address. From there, click on “Security” in the left sidebar and make sure the “Block internal IPs” checkbox is checked. Check “Apply to all my networks” and click the “Apply” button.
After you’ve done all that, check out Dorsey ‘s website to help you figure out if your connected smart devices are vulnerable.