A new UPnP vulnerability Call Stranger affects billions of Internet of Things devices and could be exploited for DDoS attacks and stealing confidential information
This is one vulnerability that could affect you, me, and everybody who uses any sort of Internet of Things devices. The vulnerability, named CallStranger, resides in the core of the Internet of Things and allows attackers to hijack smart devices for distributed denial of service (DDoS) attacks. The vulnerability can also be used to bypass security solutions and scan on a victim’s internal network and steal confidential information about the victim.
Security experts disclosed this new UPnP vulnerability and have named it Call Stranger. Call Stranger vulnerability is so serious that it affects billions of devices and could be exploited by potential hackers for distributed denial-of-service (DDoS) attacks and data exfiltration. The bug impacts UPnP, which stands for Universal Plug and Play, a feature that allows devices to see each other on local networks, and then establish connections to easily exchange data, configurations, and sync across platforms. A common example is your Wi-Fi router which can seamlessly discover presence on the network and establish functional network services for data sharing, communications, and entertainment.
The Call Stranger IoT vulnerability
The bug was first discovered in December 2019 by a security engineer Yunus Çadirci from EY, Turkey., According to Çadirci, any potential hacker can send TCP packets to a remote device that contains a malformed callback header value in UPnP’s SUBSCRIBE function.
The bug works by using the malformed header to abuse any Internet of Things device connected to the internet, and which supports the UPnP protocols — such as Wi-Fi routers, NAS devices, security cameras, DVRs, printers, and others. To execute the CallStranger attack, the hacker can effectively target the device’s internet-facing interface but executes the code on the device’s UPnP function, which usually runs on the internally-facing ports only (inside the LAN).
Çadirci says attackers could use the CallStranger bug to successfully bypass network security solutions, bypass firewalls, and then scan a company’s internal networks. The Call Stranger vulnerability has been assigned CVE-2020-12695 and can allow any potential hacker to send large amounts of data to arbitrary destinations exposed online.
Çadırcı explained that vulnerability can be used for:
- Bypassing DLP and network security devices to exfiltrate data
- Using millions of Internet-facing UPnP device as a source of amplified reflected TCP DDoS (not same with https://www.cloudflare.com/learning/ddos/ssdp-ddos-attack/ )
- Scanning internal ports from Internet facing UPnP devices
Call Stranger mitigation
The fix for this IoT vulnerability is extremely difficult to implement as there are millions of vendors catering to various classes of IoT devices. Çadırcı has suggested that IoT makers can mitigate the Callstranger issue by implementing the updated Open Connectivity Foundation (OCF) UPnP protocol specification.
Another way suggested Çadırcı is for manufacturers to disable the UPnP SUBSCRIBE capability in default configurations, and ensure that explicit user consent is required to enable SUBSCRIBE with any appropriate network restrictions.
Unfortunately, the use of the Internet of Things being so widespread, it could take years for all vendors to mitigate the Call Stranger CVE-2020-12695 issue.