App Review Are the attacks on home routers dangerous?

[Andy Ful]

Content source

https://youtu.be/y9-0lICNjOQ

Following the malicious link in the web browser can allow attackers to control your WiFi router and more (DNS Rebinding).



Look at the fragment starting from 37m 10 sec for protection against DNS Rebinding.

Presentation (slides): State of DNS Rebinding DEF CON

There are some variations of the attack. For example, the DNS Rebinding & UPnP attack worked for 75% of available routers.
Eradicating Attacks on the Internal Network with Internal Network Policy:

https://arxiv.org/pdf/1910.00975.pdf

Are these attacks really so dangerous for home users? What do you think?

 

[Andy Ful]

The problem seems to be on time, because nowadays more and more people work online from home. The statistics show that cybercriminals are interested in attacking home networks to sneak into corporate networks. Many home routers are poorly configured and usually easily exploited.

 

[ErzCrz]

Disabling Remote Management, Upnp, changing router login password is a must as is connecting to it via Ethernet for managing the device. My ISP (Sky-UK) doesn't allow changes to DNS server as it's not an available option and would interfere with Broadband Shield so you can only use their router. I have got the option to block sites by keyword or address either via the router or Sky account. Ipv4 & Ipv6 firewall enabled on the router so I can't see that I'd be vulnerable for this and I think if you have remote management disabled as well as uPnP you shouldn't have an issue but maybe I don't understand this fully.

 

[upnorth]

The routers we chose to test the attack on are the most popular among the largest ISPs in our region, as verified with 183 students and colleagues. We tested the whole cycle with each vendor, from surfing to the attacker’s website to attempting to send the UPnP commands to the router. Most of the routers which enable UPnP in the LAN are vulnerable to our attack. Routers that are not vulnerable usually include a unique identifier in the UPnP URL (such us UUID). As the attacker does not have direct access to the router’s LAN, the identifier cannot be acquired; thus, the UPnP server cannot be accessed.

I strongly doubt the majority of home users disable UPnP on their routers. It is one of several key settings that should be disabled by default, but as most of us here know, that's sadly not the case.

If home users cares little about their machine/system, they normally care even less about their routers. That's why it's extra important that ISPs that supply home users with routers at least have an automatic working update policy on the products. That is better then nothing, even if we would love to see a few more tweaks. More in the link below :

Turn off UPnP

Router Security

Router Security Home Page

routersecurity.org

 

[ForgottenSeer 85179]

NextDNS block DNS rebinding
Good router's also too (like the AVM FritzBox)

UPnP: Not bad by default but it depends on router. FritzBox provide 2 UPnP options and the "dangerous" from here, is disabled by default

 

[ForgottenSeer 85179]

I also use their test site and get only reloads over reloads and all sites are blocked on DNS level.

 

[Andy Ful]

NextDNS block DNS rebinding
Good router's also too (like the AVM FritzBox)

UPnP: Not bad by default but it depends on router. FritzBox provide 2 UPnP options and the "dangerous" from here, is disabled by default

If I correctly recall, in this video authors claim that the router protections against DNS Rebainding are usually insufficient. It is necessary to know what protection has been applied (see pages 45-50 and pages 73-74 in the Presentation). I have seen several Infos from this year in Google that router vendors submitted updates to protect against DNS Rebainding (but I do not know details).

"How do common DNS protections work?

• The most common form of protection is to block private IP addresses as defined in RFC 1918
• Some tools allow to additionally block localhost, local (internal) networks, or 0.0.0.0
• Dnsmasq & Unbound open source DNS servers are very popular and are used in many widely used applications such as the pfSense firewall, the OpenWRT embedded operating system, and some home routers from FRITZ!Box or ASUS
• There are also free DNS services such as OpenDNS which has a setting to block internal IP addresses.
• Most tools tools or services that have try to block DNS rebinding attacks do not enable it by default. pfSense and Google Home seem to enable it by default. But there are several tool & services that allow you to configure DNS rebinding protections."

"How to really protect from DNS rebinding:

1. Use TLS on all services, external and internal including localhost
2. Always use authentication.
3. Validate the Host header of HTTP requests for correct values e.g. 127.0.0.1 (whitelisting)."

See also:

Preventing DNS Rebinding Attacks

A DNS rebinding attack framework. Contribute to nccgroup/singularity development by creating an account on GitHub.

github.com

 

[Andy Ful]

I also use their test site and get only reloads over reloads and all sites are blocked on DNS level.

The same result for me.
I cannot change anything in the router settings (blocked access by the Internet provider).

 

[Dave Russo]

This topic is way over my head, does using AdGuard's DNS cover this ???

 

[Andy Ful]

This topic is way over my head, does using AdGuard's DNS cover this ???

Probably not.
Some DNS over Https providers claimed that they can protect against DNS Rebinding. The test with Singularity showed that this is not true:

Impact of DNS over HTTPS (DoH) on DNS Rebinding Attacks

DNS over HTTPS (DoH) is a new protocol to perform DNS resolution over HTTPS. It has been in the news recently as Google and Mozilla have both implemented DoH in Chrome and Firefox respectively. DoH…

research.nccgroup.com

 

[shmu26]

I have a rebranded Mesh router from my telephone company. When I try to access the settings page via a web browser, it says "Smart net site blocked", and tells me that I can access settings only via their proprietary smartphone app.
You can only access the web page once, when you do the initial setup of the router, and again after you revert it to default settings.
I assume this increases security significantly.

 

[ForgottenSeer 85179]

This topic is way over my head, does using AdGuard's DNS cover this ???

Just use the test link i posted. But as Andy say, it's unlikely

 

[ErzCrz]

I don't get beyond the below in any of the tests.

Rebinding...
target: 127.0.0.1:80, session: 454444645, strategy: fs. This page is waiting for a DNS update.

Which is guess is a good thing

 

[Andy Ful]

Just use the test link i posted. But as Andy say, it's unlikely

I am not sure, but it seems that the protection of NextDNS can also be bypassed by the Singularity framework.
"DoH allows users to encrypt DNS traffic by using a TLS channel directly to a single provider they trust. We saw that using DoH instead of plaintext DNS does not have an impact on DNS rebinding attacks; we were able to successfully perform all DNS rebinding attack strategies implemented in Singularity of Origin when targeting a vulnerable service. Some DoH service providers implement DNS rebinding protection controls but none are fully effective when employing Singularity of Origin."

Impact of DNS over HTTPS (DoH) on DNS Rebinding Attacks

DNS over HTTPS (DoH) is a new protocol to perform DNS resolution over HTTPS. It has been in the news recently as Google and Mozilla have both implemented DoH in Chrome and Firefox respectively. DoH…

research.nccgroup.com

 

[ErzCrz]

P.S. You can also do an automatic test http:// rebind.it:8080/ page and click on the Automatic test page.

Again, just sits there

The home page of vulnerable services will be dumped in the browser developer console.Scanning Progress
Done.
DNS Rebinding Progress


And the page stops. Just easier than selecting each test.

 

[ForgottenSeer 85179]

P.S. You can also do an automatic test http:// rebind.it:8080/ page and click on the Automatic test page.

Again, just sits there

The home page of vulnerable services will be dumped in the browser developer console.Scanning Progress
Done.
DNS Rebinding Progress


And the page stops. Just easier than selecting each test.

Same for me with using DoT in my Fritzbox router

 

[Andy Ful]

P.S. You can also do an automatic test http:// rebind.it:8080/ page and click on the Automatic test page.
...

It is interesting if these tests can perform all attacks of the Singularity framework.
But, it is good to see that the automatic DNS Rebinding fails for us.

 

[Dave Russo]

1 connection blocked : this is the test result I got when using Kaspersky VPN
2 Rebinding...
target: 127.0.0.1:80, session: 2662717628, strategy: fs. This page is waiting for a DNS update
this is result without VPN on
so is having a VPN on constantly recommended?

 

[ForgottenSeer 85179]

1 connection blocked : this is the test result I got when using Kaspersky VPN
2 Rebinding...
target: 127.0.0.1:80, session: 2662717628, strategy: fs. This page is waiting for a DNS update
this is result without VPN on
so is having a VPN on constantly recommended?

No. The recommendation is using a secure DNS.
See posts above.

 

[Ink]

and tells me that I can access settings only via their proprietary smartphone app.

App won't work without access to your Contacts, Microphone, and Location. /s

No. The recommendation is using a secure DNS.
See posts above.

Secure DNS set via Browser, Computer, or Router?