Attackers could pair this information with publicly accessible wardriving data and get accurate geolocation using only your list of nearby WiFi networks. What if your roommate left their web browser open on their laptop and an HTML advertisement sends your Chromecast into reboot loops while you are trying to watch a movie? One of my favorite attack scenarios targeting this API is an abuse of the WiFi scanning capability. Imagine a scenario where you’re browsing the web and all of a sudden your Google Home factory resets. They say great minds think alike both Dorsey and Tripwire researcher Craig Young were independently looking into how Google Home and Chromecast were vulnerable to DNS rebinding attacks. Google Home and Chromecast vulnerabilities That is unsurprising considering the company never responded and never fixed the no authentication vulnerability that was reported in 2013. Sadly, the company opted not to respond to Dorsey’s disclosure. Dorsey’s PoC will extract basic info from the device before setting the temperature to 95 degrees. These relatively inexpensive “smart” thermostats are also vulnerable to DNS rebinding bugs, meaning remote attackers could control your thermostat. Sonos released this statement: “Upon learning about the DNS Rebinding Attack, we immediately began work on a fix that will roll out in a July software update.” Radio Thermostat CT50 & CT80 vulnerabilities Not only could a remote attacker change the content of what you are listening to via Sonos Wi-Fi speakers, they could also use the Sonos device as a pivot point, gathering recon about your network that could be used for a follow-up attack. The firmware update with the patch has started rolling out to 20 million devices. After Dorsey said the research would quickly be released to the public, Roku developed a patch by the next morning. After later acknowledging it was a valid threat, Roku said it could take three to four months to develop a patch. Roku, according to Dorsey, originally claimed DNS rebinding did not put customers or the Roku platform at risk. Interestingly, it also allows direct control over button and key presses like a virtual remote, as well as input for several sensors including an accelerometer, orientation sensor, gyroscope and even a magnetometer.” The local API required no authentication and was vulnerable to DNS rebinding. When it comes to Roku, Dorsey found a HTTP server running on port 8060 and that “Roku’s External Control API provides control over basic functionality of the device, like launching apps, searching, and playing content. On top of releasing details about his research, Dorsey published the DNS Rebind toolkit on GitHub, as well as a proof-of-concept exploit to target devices on your own home network (). Google Home, Chromecast, Roku, Sonos WiFi speakers, and certain smart thermostats could all be interfaced with in some way by an unauthorized remote attacker. Every device that I got my hands on fell victim to DNS rebinding in one way or another, leading to information being leaked, or in some cases, full device control.
0 Comments
Leave a Reply. |