Security researchers have warned that hackers could create webpages that rapidly scan for home IoT devices and then take control of them.
According to a paper to be presented at the ACM SIGCOMM 2018 Workshop on IoT Security and Privacy in August, security researchers Frank Li of UC Berkeley, and Gunes Acar, Danny Yuxing Huang, Arvind Narayanan, and Nick Feamster of Princeton University, have discovered a faster way of mounting an old attack method, known as DNS rebinding.
A DNS rebinding attack happens when a user visits a webpage that contains a malicious script and remains on the page long enough for the script to be run in its entirety. Such attacks typically fail if a user navigates away before the attack has finished, as it takes a minute to run and most users visit webpages for less than 15 seconds.
However, the security researchers have developed a much faster version of this attack that only takes around ten seconds to discover and attack local IoT devices.
“Furthermore, our version assumes that the attacker has no prior knowledge of the targeted IoT device’s IP address,” added the researchers.
The first has a malicious script scanning local IP addresses. At the end of this stage, the attacker detects whether the victim has a particular device (e.g. Google Home or Chromecast), along with the IP address of the device. This takes about seven seconds.
The second stage sees the malicious script attempt to perform DNS rebinding using Jaqen for each identified device. Once the DNS rebinding is complete, the attacker can send commands to control the IoT device or extract personal information, such as unique identifiers and WiFi access point BSSIDs (which can be used to gather the precise geolocation of the user).
Researchers said that the attack is not limited to Google devices, as other devices could also be attacked in this way, including a smart switch, a smart TV, and two network cameras. The researchers disclosed the vulnerabilities to the respective vendors in April.
“We plan to publicly disclose the details of these vulnerabilities at the end of the standard 90-day vulnerability disclosure period,” said the researchers.