As part of the attack, an adversary could set up a crafted website and lure the intended victim into visiting it. As soon as that happens, malicious code on the site starts sending multiple fetch requests from the victim’s browser, allowing the attacker to identify and access devices on the local network.
Devised by Ben Seri and Gregory Vishnipolsky of IoT security company Armis, together with researcher Samy Kamkar, the attack is a variant of the NAT Slipstreaming attack that was detailed in October 2020, and which could be leveraged to target local network services.
