Validating resources located at non public ip addresses
I began to collect and borrow some of the more popular smart home devices on the market today.Over the next few weeks every device that I got my hands on fell victim to DNS rebinding in one way or another, leading to information being leaked, or in some cases, full device control.If companies with such high profiles are failing to prevent against DNS rebinding attacks there must be countless other vendors that are as well.).The first mention of this service that I’ve been able to find surfaced back in 2013 when Brandon Fiquett wrote about a Local API he found while sniffing the Wi Fi traffic to his Chromecast.By following the wrong link, or being served a malicious banner advertisement, you could inadvertently provide an attacker with access to the thermostat that controls the temperature in your home..Many moons ago, browser vendors decided it probably wouldn’t be a good idea for web pages served from one domain to be able to make arbitrary requests to another domain without explicit permission from that second domain.
What if your roommate left their web browser open on their laptop and an HTML advertisement sends your Chromecast into reboot loops while you are trying to watch a movie?
One of my favorite attack scenarios targeting this API is an abuse of the Wi Fi scanning capability.
Attackers could pair this information with publicly accessible wardriving data and get accurate geolocation using only your list of nearby Wi Fi networks.
This scenario is an actual exploit (CVE-2018–11315) that I’ve found and used against my Radio Thermostat CT50 “smart” thermostat.
The implications and impact of an attack like this can have far reaching and devastating effects on devices or services running on a private network.