Berkner Tech

Berkner Tech Modern Hardware Security

DNS Rebinding Attacks Against Local IoT Devices

DNS rebinding attack against a local IoT device, from luring a browser to driving the device API

A smart device sitting safely behind a home router still has a reachable enemy: the user’s own browser. DNS rebinding tricks a web page into talking to a device on the local network, bypassing the firewall entirely. It works whenever the device trusts the local network. Here is how the attack flows and how to be immune to it.

How the Browser Becomes the Attacker

When a user visits a malicious page, that page can only talk to its own origin. DNS rebinding defeats the same-origin policy by changing what the origin’s domain resolves to: first the attacker’s server, then, seconds later, the local IP of a device. The browser still thinks it is the same origin, so the page can now make requests to the device.

The Rebinding Step

The trick is a DNS answer with a very short time to live, so the attacker can flip the address from their server to the device almost immediately:

Anatomy of a rebinding DNS answer showing a short TTL that flips a domain to a local device IP

Why the Device Cooperates

The attack only pays off if the device answers the request. Many local APIs do, because they assume the local network is trusted and never check who is asking:

# the request the rebound page makes, simulated
curl -H 'Host: attacker.example' http://192.168.1.50/api/info
Example output
{"model":"SmartHub-2","firmware":"3.1.4","admin_unlocked":true}

The device answered a request carrying an unrelated Host header and returned administrative information. It trusts the network rather than the requester, which is exactly what makes rebinding work.

Three Things That Enable Rebinding

Rebinding needs all of the device’s trust assumptions to line up:

Three things that enable DNS rebinding: no Host header check, no LAN authentication, and open CORS

Becoming Immune

Validate the Host header against an allowlist and reject anything unexpected, authenticate every request even on the local network, and keep CORS strict. The root fix is the same as everywhere else in IoT: the local network is not a trust boundary, so do not treat presence on it as authorization.

Where This Fits

Testing whether a device’s local API can be reached through DNS rebinding is part of a connected-product penetration test. That testing is the kind of work we do at Berkner Tech.

References and Further Reading