In March, artist and programmer Brannon Dorsey became interested in a retro web attack called DNS rebinding, teaching himself how to illicitly access controls and data by exploiting known browser weaknesses. It's a vulnerability that researchers have poked at on and off for years—which is one reason Dorsey couldn't believe what he found.
Sitting in his Chicago apartment, two blocks from Lake Michigan, Dorsey did what anyone with a newfound hacking skill would: He tried to attack devices he owned. Instead of being blocked at every turn, though, Dorsey quickly discovered that the media streaming and smart home gadgets he used every day were vulnerable to varying degrees to DNS rebinding attacks. He could gather all sorts of data from them that he never would have expected.
"I'm technical, but I'm not an information security professional," Dorsey says. "I didn’t reverse any binaries or do any intense digging. I just followed my curiosities and suddenly I found some sketchy shit. I was just sitting there thinking 'I cannot be the only person in the world who is seeing this.'"
Between his own gadgets and borrowing others from friends, Dorsey found DNS rebinding vulnerabilities in virtually every model of Google Home, Chromecast, Sonos Wi-Fi speakers, Roku streaming devices, and some smart thermostats. Dorsey's experimental attacks, which he outlined in research published Tuesday[1], didn't give him full keys to the kingdom, but in each case he could gain more control and extract more data than he should have been able to.
'I just followed my curiosities and suddenly I found some sketchy shit.'
Brannon Dorsey
For example, on Roku devices running Roku OS 8.0 or lower, Dorsey found that an attacker could use the streamer's External Control API to control buttons and key presses on the device, access