The Black Hat conference is taking place this week in Las Vegas, bringing together security researchers and academics from all over the world to discuss the most pressing information security issues. Among the many (overly) hyped vulnerabilities set to be revealed is one the researcher claims threatens the security of “millions” of home routers. And according to the researcher, OpenDNS is not a fix.
Since the vulnerability was first publicized, we’ve made several attempts to contact Craig Heffner, the researcher, and get more detail. We’ve phoned. We’ve emailed. We’ve contacted reporters who’ve spoken to the researcher and had their help connecting to the researcher. I’ve even Facebook messaged his coworkers. I haven’t had a single reply.
Why the aggressive outreach from us? Because we want to be a fix. We work hard to make OpenDNS a solution to the many problems system administrators and security pros face. In fact, our entire service was designed to address the problems you want it to address. The only information we have is that this deals with DNS Rebinding. Fortunately, OpenDNS has secured users from DNS rebinding attacks for a long time. But we don’t know what’s different about Craig’s new rebinding attack.
When Dan Kaminsky and his firm IOActive famously revealed a major DNS flaw at the very same conference a few years ago, OpenDNS by then had worked to ensure that our service was secure and not threatened by the vulnerability. When the Conficker virus gained traction and proved it posed a real threat, security firm Kaspersky Labs and OpenDNS quickly teamed to block the domains from resolving for OpenDNS users. This sort of cooperation by industry leaders, groups and companies is, in my humble opinion, exemplary. It’s absolutely in the best interest of Internet users as it reduces the window of vulnerability. And we’re always to happy to keep details of security issues secret, so the researcher can announce it without the risk of someone else stealing their thunder.
Could OpenDNS be a fix to the vulnerability said to threaten millions of home routers? Probably, but I can’t say since I have no information about how it works. All we know is that it has to do with DNS Rebinding attacks, which is a very old threat and is one we’ve done a great job of protecting users from in the past. Is OpenDNS a fix as-is already? Can’t say that either. It might be. Or we might have to tweak something. What I can say is that we have world-class engineers who are ready and willing to do whatever work possible to make OpenDNS a solution. But we can’t do that, because we don’t have the cooperation of the researcher.
In any event, at OpenDNS we believe in Responsible Disclosure. It’d be nice if Craig Heffner, the researcher in this case, believed in the same.