Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google, Roku, Sonos To Fix DNS Rebinding Attack Vector (bleepingcomputer.com)

Posted by msmash on from the dispatch-sent dept.

The developer teams from Google Home, Roku TV, and Sonos, are preparing security patches to prevent DNS rebinding attacks on their devices. From a report: Roku has already started deploying updates, while Google and Sonos are expected to deploy patches next month. DNS rebinding is not a new attack vector by any stretch of the imagination. Researchers have known about it since 2007 when it was first detailed in a Stanford research paper. The purpose of a DNS rebinding attack is to make a device bind to a malicious DNS server and then make the device access unintended domains.

5 of 56 comments (clear)

  1. Re:Browser solution by viperidaenz · · Score: 2, Informative

    For DNS rebind to work like that, the hacker has control of the DNS servers hosting your bank's domain.
    That's already pretty bad news. With complete DNS control of your banks domain they can obtain certificates and pose as a secure copy of your banks website and steal your credentials that way. No DNS rebind attack required.

    Public websites that are hosted as virtual hosts aren't vulnerable to rebind attackers either, as they use the HTTP Host header to determine how to handle the request. A rebind attack means the Host header won't match the website and would generally return a 404.

    CDN's also stop rebind attacks from working on public websites for the same reason. The Host header is the domain of the attacker, not the destination.

  2. Re:Browser solution by SirAstral · · Score: 3, Insightful

    NO NO NO NO NO NO NO NO NO!!!!!

    Don't even DARE to come up with the idea that browsers should be performing these functions. The browser needs to do only one thing... trust the DNS server that gave it data because the USER or Admins configured it... OTHER more suitable tools (like inline network devices/services) should be doing this security. It is NOT just about what will or will not break with this, it is also about the thought of Google, Microsoft, Firefox, and Opera deciding what is good or bad DNS and then also dealing with false positives and bugs that is going to definitely come with attempting this. Not only that but this kind of functionality will now be tested on browsers and become included in their "security profiles".

    It's just a terrible terrible idea, like putting a governor in every car connected to GPS to make sure it NEVER goes over the speed limit.

    Hackers would waste NO TIME in compromising this garbage in a browser and system would become even less secure just having it in them NOT MORE secure.

    I cannot expound on how terrible the idea you just had is!

  3. Re:Browser solution by SirAstral · · Score: 2

    "With complete DNS control of your banks domain they can obtain certificates and pose as a secure copy of your banks website and steal your credentials that way."

    yea, um no... you can't "just get a certificate" like that.

    You have to get a publicly trusted CA to issue you a Certificate for a domain you don't own and a CA is not going to do that unless they want to risk going out of business or becoming untrusted defeating the entire purpose of being a CA. And if you go an create your own, well how are you going to get the victim's own system to trust it without a root signer they already trust? Systems do not accept certificates blindly!

    You are going to have to trick someone to give you a certificate or find a way to compromise their Certificate or find a way to illegitimately obtain a proper certificate like finding some dumbass admin that left a cert laying around on an easy to access network drive with its private key and an easy to guess password (likely also stored in a txt file right next to it) protecting it.

  4. Re:Browser solution by Junta · · Score: 2

    Bad news:
    https://blog.nightly.mozilla.o...

    Firefox and chrome are both advocating for ignoring the system DNS resolver and baking DNS resolving into their code (also, shifting from DNS over UDP to DNS over HTTPS, with etiher json or the traditional binary format. Instead of trusting your dns server, it trusts https://mozilla.cloudflare-dns... as the equivalent of the DNS server, ignoring the local network suggested settings.

    Of course, I presume they must be doing something to support non-internet names to be resolved, but I haven't found yet an article going into that much detail.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  5. The true reason they are wanting to stop it. by Cito · · Score: 3, Interesting

    PiHole DNS servers

    Anyone can pick up a raspberry pi for 35 bucks or fire up a Debian virtual machine and install PiHole dns.

    It blocks advertisements at the dns level. I have a roku, Chromecast, and of course kodi attached to my TV, and both the Roku and Chromecast not to mention my tablet never gets ads on YouTube or any streaming service.

    I bet this change is to try and stop pihole users from blocking ads on their devices so easily.