[Technical] The pros and cons of DNS Rebinding protection

Warning, This topic discusses an deep technical network issue. It should not be an issue for most of the average Homey Pro users on default consumer Internet connections.

The pros and cons of DNS Rebinding protection

Athom uses a technique for secure communication on your Local Network (WiFi) that possibly conflicts with another security option available in newer consumer routers and access points.

I created this Topic to provide a central place to discuss the issue and possible solutions.
Please let me know if you want to Edit this Topic.

The issue with DNS Rebinding.

Technically for remote attackers it could be possible to use several ways of DNS Rebinding to Access a device on your Local network by sending Local IP addresses on your DNS Requests. As this Could be unwanted it is possible to protect you with several options:

  • Rebind Protection in WebBrowsers
  • Rebind Protection in DNS Resolvers / Routers.
  • …

Rebind Protection in DNS Resolvers / Routers filter out (all or some of) the local IP addresses in responses from DNS requests to internet and several newer routers have that option and enable it by default. Sometimes the options are added to provider Routers/modems in newer firmware and enabled.

The Issue with Homey using DNS Rebind protection

When you’re at home, Homey first tries to use a local secure connection (HTTPS). Only when local TLS does not work, Homey uses a local insecure connection (HTTP).
Homey uses a SSL Certificate (Needs to for encryption) and for that Certificate it needs to be accessed using a FQDN on that certificate. This is the DNS name that Homey uses with your Local IP Address: 1-2-3-4.homey.homeylocal.com. Where the first numbers should reflect your Homey Pro’s local IP address separated by dashes. It alway resolves to that same IP address.

Usually if the connection in your Homey Mobile App doesn’t work “Local (Secure)” it switches to “Local” and drops the extra encryption. This should be no issue as you should be on your own “protected” WiFi / LAN network at that moment.

Sometimes Users in the community complain Homey Pro isn’t stable working / often disconnects / etc. In that case you could test temporary if disabling DNS Rebind protection in your router solves this issue.

In the case that solves it please report your issue / temporary workaround to Athom Support. (As disabling DNS Rebind protection is your own Risk and choice). Also please report here in this Topic your Network configuration (ISP, Router brand and Firmware version, setting you changed) it could help other community members.

More information

I will create two Reserved Posts for updating with fe known issues or configurations and move a recent discussion below. PM me if I missed something, if you have additional information or want to add something to this post. If necessary we can make it a Wiki

2 Likes

Reserved

Reserved

Yes, to make Homey “more secure” you have to downgrade the security of your entire local network. It’s a feature, not a bug.

Yes, this is better, than some competitors, does not havin’ https at all. May-be the same reason, do not have browsers/developers complain. No certificate - no problem :zipper_mouth_face:

1 Like

Using HTTPS on a local network doesn’t add a whole lot of security, certainly not so much that it warrants having to disable DNS rebinding attack protection to get it working. It also requires an always-on internet connection, because the hostname should be resolvable.

From my point of view it’s really depends. But for me personally seems, that unencrypted traffic in “public network” is little bit bigger sin than …
Yeah, sorry, but most of nowadays home-users WiFi networks are actually just waiting someone to join ;(

So, may-be then for Athom - give to Homey also certificate with alias from local DNS, not a “one for all” - ‘*.homey.homeylocal.com’

I don’t see how that’s possible, you can’t get certificates for hostnames like homey.local.

Regarding bad WiFi networks: at least that requires a relatively close proximity to the network to be abused. And when it gets abused, it’s not likely that the communication between Homey and your mobile phone is the likely target. Whereas DNS rebinding attacks can be done remotely and can be just as damaging as a WiFi hack.

Guess Athom follows you on that point and if I remember changed their point. Although not that clear for a normal user what to do but I guess Athom isn’t the one responsible for education of users the differences on such a complex topic.

Note: Some routers block a feature called ‘DNS Rebinding’. For a local secure connection to work, this feature must be disabled. We do not advice to do this, but it’s something to consider.

So if I understand correctly everything should function the same with DNS rebinding protection enabled. With only difference for connections are local unencrypted.

Well yes, in theory. In practice, search around on the forum for people having issues with their Homey being “offline” until they disable it.

1 Like

Actually every Homey knows his hostname - at least i hope so. So, during “E.T. calls home”, it’s possible to ask also certificates. Yes, this is additional connection and also may lead to some delay during initial connect (and also, when someone changes the hostname). But in theory this must be working.

Yeah, of course… or nope, if The Bad is really interested… or just a DIY-ers with “Pringles cantenna”. And even without such equipment. Have seen ~50 different WiFi networks on my phone in “normal situation” (just a dense living block, not some exhibition or something)

About targets… Actually, Homey smells like honey for attacker. For proffessional - it’s the key for doorlock, disarm button for alarm system and also indicator about presence. For amateur it’s very interesting to see: Sending packet and there the light switch on.

About communication between phone and Homey - start some sniffer, and look, how many “bonjours” and SSDP-s You can count from Homey during a minute. So, target is self-advertising. Only sniff some real connection (as this is WiFi, then it’s public, no need to fool switches) and take the bearer.

1 Like

On my local network, Homey’s hostname is “Homey”. That’s not something you can get a certificate for. It’s also not how the app connects with Homey (because it depends too much on your local setup to actually work). That’s why the homeylocal.com workaround is used.

Agreed, Homey is a great target. And if people are stupid enough to use bad WiFi, they’re also stupid enough to use Homey as an alarm system :wink: But if I were a professional, I would look into how each Homey receives the private keys for the *.homeylocal.com certificate from Athom’s servers: endless MITM possibilities :sweat_smile:

What about DNS services that offer DNS Rebinding Protection, like NextDNS?

(I seem to have that option enabled in that service)

Again /OT
Interesting if they provide all Homey Pro’s a new Private Key or only extend a Certificate. Keep an Eye on it next month.
image

Is this a self-signed certificate or one assigned by a trustworthy Certificate Authority which validated Athom’s identity?

Maybe you can make an exception for this DNS domain or add your own record for your Homey Pro and give it an DHCP reservation.

Name: 1-2-3-4.homey.homeylocal.com.
Address: 1.2.3.4

AFAIK, there’s no such thing as extending a certificate, you’ll just get a new one. With a new private key.

A Homey can’t request this by itself (because of validation), so it’s something that Athom needs to do on their servers and then distribute the new certificate (including its private key) among all active Homey’s.

Neither. It uses Let’s Encrypt, so the certificates are accepted by pretty much all TLS implementations, but Let’s Encrypt doesn’t perform identity validation (only domain validation).

2 Likes

Yes I know, the “Certificate” itself is new but the Priv Key isn’t necessary. With all othe infor the same I Guess it is often called “Renew” a Certificate.

Can I use an existing private key or Certificate Signing Request (CSR)?

Yes, but not all clients support this feature. Certbot does.

But pretty sure Athom can let Homey Pro’s replace Both the Certificate and the Private Key without Firmware changes. Guess Homey has a standard service that Request and installs it at a Homey Cloud server.

The only way I see how is by downloading both from Athom servers at a regular interval. Because it’s a wildcard certificate, DNS validation is required so renewing the certificate is not something that a Homey can do by itself automatically. Also, I assume that every Homey uses the exact same certificate.