Roku TV, Sonos Speaker Devices Open to Takeover

The DNS rebinding flaw reported in Google Home and Chromecast devices earlier this week is about to get a patch — but the same type of flaws have come to light for other top-name consumer Internet of Things devices, from Roku and Sonos.

Fortunately, Roku has already started deploying its update, while Sonos said it will  issue a patch in July.

If exploited, the devices are open to attacker hijacks, thanks to two common IoT issues: One, many IoT devices don’t require authentication for connections received on a local network; and two, locally, HTTP is often used to configure or control embedded devices.

DNS rebinding has been around for at least 10 years, originally used to control routers; it’s a technique where JavaScript in a malicious web page is used to communicate with or gain control of a victim router or other target device that uses a default password and web-based administration.

As researcher Brannon Dorsey, who uncovered the weaknesses in Roku and Sonos, explained in a post on Tuesday: “DNS rebinding allows a remote attacker to bypass a victim’s network firewall and use their web browser as a proxy to communicate directly with devices on their private home network. By following the wrong link, or being served a malicious banner advertisement, you could inadvertently provide an attacker with access to [an IoT device connected to the same home network].”

Tripwire researcher Craig Young recently found that as a result, an attacker can use DNS rebinding to carry out an attack to uncover location information on the Google devices.

“This is a serious privacy and safety issue because it means that if you browse the web from the same Wi-Fi as a Google Home or Chromecast, that web site’s operator can find you in the real-world. This has grave implications for cyberstalking as predators are just one click away from finding their victims offline,” said Young, via email.

This week, Dorsey confirmed the Google issues, and also found a DNS rebinding attack vector for both Roku video streaming devices (CVE-2018–11314) and the Sonos Wi-Fi speakers (CVE-2018–11316).

On the Roku front, he found that Roku’s local External Control API requires no authentication and can be exploited via DNS rebinding. The API provides control over the basic functionality of the set-top streaming device, including launching apps, searching for content and ordering playback—all of which can now be controlled by an attacker.

“Interestingly, it also allows direct control over button and key presses like a virtual remote, as well as input for several sensors including an accelerometer, orientation sensor, gyroscope and even a magnetometer (why?),” Dorsey said.

After some back-and-forth with the researcher, Roku agreed to patch the problem and said that it’s in the process of rolling out the updated firmware to its customers.

As for Sonos, Dorsey said that an attacker can use rebinding to leverage Sonos’ UPnP web server to run Unix shell commands on the device. A bad actor can take basic control of the device: “By following the wrong link you could find your pleasant evening jazz play list interrupted by content of a very different sort,” he said.

But there are other concerns too: “The Sonos HTTP API allows a remote attacker to map internal and external networks using the traceroute command and probe hosts with ICMP requests with ping, using simple POST requests,” he explained. And from there, an attacker could use a Sonos device as a “pivot point,” he explained, to find other information about the home network and the devices on it, from which he or she could mount further attacks.

A fix is incoming: “Upon learning about the DNS rebinding attack, we immediately began work on a fix that will roll out in a July software update,” Sonos said in a statement.

As mentioned, the IoT issues that lead to these flaws are by no means restricted to these vendors. The issue runs deep, also affecting a raft of connected thermostats and small/home office routers, amongst other IoT equipment.

“How is it that so many devices today could be vulnerable to an attack that was introduced over 10 years ago?” Dorsey said. “There are likely more reasons for this than I can explain, but I’m willing to bet money on two of them.”

Awareness in the cybercrime community – or rather lack thereof – is the first thing.

“It’s historically been a sort of cumbersome and difficult to pull off attack in practice,” he said. “You have to spin up a malicious DNS server in the cloud, write some custom JavaScript payload targeting a specific service, serve that to a victim on a target network, and then figure out how to use their web browser to pivot to a target machine running that service, which you probably don’t know the IP address of. There’s overhead and it’s error prone.”

And secondly, developers are not writing software that treats local private networks as if they were hostile public networks.

“Even if DNS rebinding becomes more popular in cybersecurity communities, that isn’t a guarantee that we’ll see a large drop in the number of vulnerable devices,” he explained. “That’s because security nerds aren’t the ones implementing these APIs, web developers are. Sure, web developers should know that externally facing API endpoints need authorization of some kind, but there is a recurring general consensus that private networks themselves can be used to secure intranet facing APIs…The idea that the local network is a safe haven is a fallacy. If we continue to believe it people are going to get hurt.”