When you next go to watch Game of Thrones on your Chromecast, don’t be surprised if you see something entirely unexpected pop up on your screen instead.

Tripwire’s principal security researcher Craig Young took some time away from running the IoT Hack Lab at SecTor 2018 to show us how someone could get inside your home network from halfway around the world using a technique known as DNS rebinding.

When your browser downloads JavaScript from a remote server, it is only allowed to access content on the same host from which it downloaded the script, or on a computer that shares that host’s domain. That makes it difficult for a hacker to deliver malicious JavaScript to another computer on a victim’s network.

Enter DNS Rebinding

DNS rebinding is a way to get around that. It is a well-established attack technique that quickly switches the IP address associated with a domain name. In his demo, Young used that to change a domain’s IP address from an attack server to the victim’s computer.

Young used JavaScript delivered from an attack server to make the browser query nearby network addresses. In this case he engineered the attack to look for a Google Chromecast. When he found one, he redirected the browser to a modified URL on the attack server, which it queried periodically. After a short time, the DNS entry for this URL expired and was replaced with the internal IP address of the user’s Chromecast.

At this point, the JavaScript in the browser, which came from the attack server, was able to speak to the Chromecast as though they were both on the same local network, and send it whatever information it wanted. Fun ensued, and it took just 62 seconds.

In this case, Young Rickrolled the Chromecast, but could just as easily have delivered any other content that he wanted to a device on the home network, including malicious JavaScript. Here’s our interview, showing his technique.

The victim’s home router is to blame here, because that device is what the hackers exploit to rebind DNS. The irony is that most routers include anti-DNS rebinding support, but Young says that few vendors enable that feature.

Solving the problem

The solution? Put multiple routers behind each other, he says, to segment your network. Most people won’t do that because it’s complicated and expensive. There are other alternatives, such as switching your router’s DNS settings to a service like OpenDNS, which will filter out suspicious IP addresses including private ones.

But this attack has been understood for years. Shouldn’t router vendors have implemented something that doesn’t require drastic — and in many cases prohibitively technical — action on the user’s part?

All of which leads to the question: Shouldn’t there be more regulation to force connected device vendors to prevent these problems, and what might that look like? Could IoT security ever be self-regulated, or would the government need to do it?

People have proposed both approaches. The Cavalry, a group of cybersecurity experts formed in 2013 that advocates for better cybersecurity in critical areas of public safety and human life, has advocated for a version of the Hippocratic oath targeting developers of medical IoT devices.

The oath proposed cyber safety by design, (riffing on the privacy and cybersecurity by design found in Europe’s GDPR rules), collaboration with those disclosing vulnerabilities, the capturing of evidence to learn from safety investigations, and the use of a ‘safe state’ with clear indicators when failure is unavoidable. It also advocated for regular cybersecurity updates.

No such declarations seem to exist for your smart TV, streaming box or connected kettle, though, and in any case, the Cavalry’s rules are strictly voluntary.

Lawmakers have also proposed enforceable IoT rules . Recently, US congressional leaders reintroduced a bill that would create a checklist of cybersecurity requirements for IoT devices. The bill, which was originally introduced in 2017 but went nowhere, would rely on the National Institute for Standards and Technology (NIST) — a knowledgeable organization with a solid track record — to produce the checklist. However, this would only be enforced by federal government agencies procuring connected equipment.

California took another option, passing SB-327 into law in September 2018. From 1 January 2020, it will enforce security requirements for any device connecting directly or indirectly to the Internet and which has an IP or bluetooth address. The problem with this legislation is that it defines its own cybersecurity rules, which include “reasonable security feature or features”, meaning unique passwords for anyone accessing it from outside its LAN.

Code signing? Device attestation? Protections against attacks like DNS rebinding? No such luck.

Other federal bills have called for the Federal Communications Commission (FCC) to establish cybersecurity requirements for wirelessly-connected equipment and a voluntary security ratings system for IoT kit. Either of these seemed to get off the starting blocks.

That last idea holds water. An easily-digestible consumer rating guide for equipment — a kind of scoring system that you could read on the side of the box — could help force vendors to take these things seriously by applying market pressures. However, the assessment criteria would have to be sufficiently robust. Would it include protection against well-established exploits like DNS rebinding? We hope so.

You can see Craig Young’s own writeup of DNS Rebinding on the Tripwire site here.