A Fresh View on Home Network (in)Security
Let’s talk about home network security. There’s a lot of confusion surrounding the security of the private home LAN. In this post, we will shatter the security myth and demonstrate how IoT devices are easily hackable even when they reside in the allegedly secure home LAN.
The router is not a guardwall
There is a persistent myth that some router features, such as the Network Address Translation (NAT), provide security. However, the assumption that devices inside the private network are not directly accessible to the outside world is simply erroneous.
The NAT was invented almost 20 years ago to solve the depletion of public IPv4 addresses. The creation of the NAT allowed for more people and devices to be connected. How does it work? At the most basic level, NAT translates the non-routable IP addresses in a local network to a single IP address by accessing and manipulating network and transport level packet information (to learn more go to RFC1918) . The NAT allows a router to rewrite the source IP of an outgoing IP datagram while retaining the original IP in order to rewrite it into the response. Although several NAT implementations provide some security, an attacker can easily bypass the NAT by social engineering, malware, phishing, etc.
Another router feature that was designed for LANs is the Universal Plug and Play (UPnP). Using UPnP, an application can automatically forward a port on the router instead of having the user do it manually. The UPnP is a networking protocol enabled by default on the router and exposes it to external attack by allowing anyone to remotely connect from the internet. While routers usually block incoming connections, UPnP could allow a hacker to bypass the router entirely. Check out Akamai report about UPnP flaws and vulnerability and how they are actively being abused.
Exploiting holes in the internet infrastructure
When the internet was created decades ago, the thought of securing devices against attackers wasn’t keeping anyone awake at night, to say the least. While some protocols “got” secured extensions and versions such as HTTP (HTTPS) and TELNET (SSH), DNSSEC was never fully deployed.
A good example of exploiting a “legit” protocol is DNS rebinding, a technique for attacking private networks. DNS rebinding is a DNS based attack on the codes embedded in a webpage that subvert a browser’s same-origin policy (SOP). To launch a DNS rebinding attack, all an attacker needs is to register a domain name and generate web traffic to his page. With DNS rebinding, an adversary can exfoliate sensitive data from the home LAN and circumvent the router and firewalls. It can also target any device that uses a web-based administrative panel and a default password. Brannon Dorsey explores this subject in depth in his recent research and demonstrates how a Google Home can easily be hacked by using DNS rebinding.
Another method that is commonly used for establishing bidirectional UDP connection between internet hosts in private networks is UDP hole punching. As the name implies, UDP hole punching punches a hole in the firewall to allow a packet from an outsider to successfully reach a device behind a network using a NAT.
Attacking Other Devices Inside The Network
In almost every home these days there are several IoT devices connected to the home network. These devices reside with many other IoT devices, manufactured by different vendors, that are riddled with security vulnerabilities. Many of these devices offer limited or non-existent authentication to access and control their services. They also use unsecure protocols like HTTP and TELNET to communicate freely between one another and operate as if they reside in a safe-zone.
These devices trust the other machines on the network in the same way that you would inherently trust someone you’ve allowed into your home. Once an attacker gets control over one device in the LAN, they can make a lateral movement and hack other devices in the same network.
In this post, we aimed to refute the confusion surrounding the security of home networks and demonstrate how an adversary can easily penetrate the LAN from different access vectors. The IoT ecosystem is booming and the home LAN has become crowded with machines and devices. This inevitable shift of having connected surroundings can easily be disrupted without proper security.
To solve these issues, a more holistic approach is required. Product vendors need to face the fact that anything available on the local network is also available to a remote attacker. An IoT product has to be secure not only at its foundation but also in an agile manner to allow fast adaptation to dynamic security threats.