Roku and Sonos open to hack

walden, system, systems, walden systems, rita, firewall, port, forward, up, protect, intrusion, security, traffic, DMZ, block, protection, walden systems, walden, systems, network, fire, wall, hack, intrusion, cisco, router, network, switch, hub, IoT, traffic
Rita gives you full control of what sites your employees visit. Rita can block sites that eat up your precious bandwidth such as media streaming sites. Rita enables you full control of what sites your employees can and cannot visit. Rita gives you the ability to block undesirable sites by wildcard or by name. Rita gives you the ability to determine which computers will be blocked and which will be allowed. With Rita, you can block access to sensitive servers within your LAN.



     The DNS rebinding flaw reported in Google Home and Chromecast devices are about to get a patch but the same type of flaws have been highlighed for other consumer Internet of Things devices, from Roku and Sonos. If exploited, the devices are open to attacker hijacks, thanks to two common IoT issues. Many IoT devices don't require authentication for connections received on a local network. Locally, HTTP is often used to configure or control embedded devices. DNS rebinding has been around for at least 10 years, originally used to control routers. It's a technique where JavaScript in a malicious web page is used to communicate with or gain control of a victim router or other target device that uses a default password and web based administration.

     Researcher Brannon Dorsey uncovered the weaknesses in Roku and Sonos. DNS rebinding allows a remote attacker to bypass a victim's network firewall and use their web browser as a proxy to communicate directly with devices on their private home network. By following the wrong link, or being served a malicious banner advertisement, you could inadvertently provide an attacker with access to an IoT device connected to the same home network. Researchers recently found that as a result, a hacker can use DNS rebinding to carry out an attack to uncover location information on the Google devices. This is a serious privacy and safety issue because it means that if you browse the web from the same Wi-Fi as a Google Home or Chromecast, that web site's operator can find you in the real-world. This has implications for cyberstalking as predators are just one click away from finding their victims offline.




     Roku's local External Control API requires no authentication and can be exploited via DNS rebinding. The API provides control over the basic functionality of the set top streaming device, including launching apps, searching for content and ordering playback, all of which can now be controlled by a hacker. It also allows direct control over button and key presses like a virtual remote, as well as input for several sensors including an accelerometer, orientation sensor, gyroscope and a magnetometer. Roku agreed to patch the problem and said that it's in the process of rolling out the updated firmware to its customers.

     In Sonos, a hacker can use rebinding to leverage Sonos' UPnP web server to run Unix shell commands on the device. A hacker can take basic control of the device. By following the wrong link you could find your pleasant evening jazz play list interrupted by content of a very different sort. The Sonos HTTP API allows a remote attacker to map internal and external networks using the traceroute command and probe hosts with ICMP requests with ping, using simple POST requests. From there, a hacker can use a Sonos device as a pivot point to find other information about the home network and the devices on it to mount further attacks.



     Upon learning about the DNS rebinding attack, Sonos began work on a fix that will roll out in a July software update. As mentioned, the IoT issues that lead to these flaws aren't restricted to these vendors. The issue runs deep, also affecting a swath of connected thermostats and small/home office routers, amongst other IoT equipment. Lack of awareness in the cybercrime community historically been a sort of cumbersome and difficult to pull off attack in practiced. You have to spin up a malicious DNS server in the cloud, write some custom JavaScript payload targeting a specific service, serve that to a victim on a target network, and then figure out how to use their web browser to pivot to a target machine running that service, which you probably don't know the IP address of. There's overhead and it's error prone. Secondly, developers are not writing software that treats local private networks as if they were hostile public networks.

     Even if DNS rebinding becomes more popular in cybersecurity communities, that isn't a guarantee that we'll see a large drop in the number of vulnerable devices. Security experts aren't the ones implementing these APIs, web developers are. Web developers should know that externally facing API endpoints need authorization of some kind, but there is a recurring general consensus that private networks themselves can be used to secure intranet facing APIs. The idea that the local network is a safe haven is a fallacy. If we continue to believe it people are going to get hurt.