In March, artist and programmer Brannon Dorsey became interested in a retro web attack called DNS rebinding, teaching himself how to illicitly access controls and data by exploiting known browser weaknesses. It's a vulnerability that researchers have poked at on and off for years—which is one reason Dorsey couldn't believe what he found.

Sitting in his Chicago apartment, two blocks from Lake Michigan, Dorsey did what anyone with a newfound hacking skill would: He tried to attack devices he owned. Instead of being blocked at every turn, though, Dorsey quickly discovered that the media streaming and smart home gadgets he used every day were vulnerable to varying degrees to DNS rebinding attacks. He could gather all sorts of data from them that he never would have expected.

"I'm technical, but I'm not an information security professional," Dorsey says. "I didn’t reverse any binaries or do any intense digging. I just followed my curiosities and suddenly I found some sketchy shit. I was just sitting there thinking 'I cannot be the only person in the world who is seeing this.'"

Between his own gadgets and borrowing others from friends, Dorsey found DNS rebinding vulnerabilities in virtually every model of Google Home, Chromecast, Sonos Wi-Fi speakers, Roku streaming devices, and some smart thermostats. Dorsey's experimental attacks, which he outlined in research published Tuesday, didn't give him full keys to the kingdom, but in each case he could gain more control and extract more data than he should have been able to.

'I just followed my curiosities and suddenly I found some sketchy shit.' Brannon Dorsey

For example, on Roku devices running Roku OS 8.0 or lower, Dorsey found that an attacker could use the streamer's External Control API to control buttons and key presses on the device, access the inputs for device sensors like the accelerometer, gyroscope, and magnetometer, search content on the device, and even launch apps. On Sonos Wi-Fi speakers, an attacker could access extensive information about the Wi-Fi network a speaker is connected to, useful for mapping out network attributes and broader recon. And by attacking the public API in Google's connected devices, an hacker could trigger Google Home and Chromecast restarts at will. That result in essentially a denial of service attack, keeping users from being able to interact with their device, or sending it offline at strategic times. Attackers could also get Google Home and Chromecast to cough up information about the Wi-Fi network they are connected to, and triangulate it with the list of nearby Wi-Fi networks to accurately geolocate the devices.

In a DNS rebinding attack, a hacker capitalizes on weaknesses in how browsers implement web protocols. They craft malicious websites that can game the trust protections meant to block unauthorized communication between web services. From there, an attacker uses methods like phishing or malvertising to trick victims into clicking a link to their site, and then moves to illicitly access whatever controls and data are exposed on their device or network. One wrong click or tap and and attacker could take over your smart device.

Though DNS rebinding stems from some fundamental issues with how browsers mediate trust relationships online, sites and services can also limit their exposures using relatively simple mechanisms like authentication protections or HTTPS encrypted connections. This may be why this class of attacks hasn't generated sustained interest or concern among security professionals.

But over past seven months, there has been a growing understanding in the security community that DNS rebinding bugs may represent a much larger group of vulnerabilities than people have previously acknowledged. Google Project Zero researcher Tavis Ormandy recently found DNS rebinding vulnerabilities in the Transmission BitTorrent client and the update mechanism for Blizzard video games, and researchers have also discovered the bugs in various Ethereum wallets—potentially exposing people's cryptocurrency.

DNS rebinding bugs have a "history of being dismissed by developers, and many times it is left as an unaddressed issue," Ariel Zelivansky, a researcher at the security firm Twistlock, wrote in a prescient February warning about the rise of DNS rebinding vulnerabilities.