UPDATED 22:19 EDT / JUNE 08 2020

SECURITY

CallStranger vulnerability in UPnP devices opens the door to data theft

A vulnerability found in billions of Universal Plug and Play devices allows attackers to steal data, scan networks and potentially cause a network to participate in the distributed denial-of-service attack.

Dubbed CallStranger, the vulnerability was discovered by security researcher Yunus Çadirci in December and detailed on a new site dedicated to the vulnerability launched today.

The vulnerability can be used to target any UPnP device, though home users are not expected to be targeted directly. Internet service providers are particularly at risk, along with enterprises.

The CallStranger site recommends that ISPs ask vendors to update devices open to the vulnerability, while device vendors should patch devices if they have not done so already. The site recommends that enterprises should take their own actions, including a variety of mitigation actions depending on their circumstances. Recommended actions include closing UPnP ports is there is no business need; blocking all SUBSCRIBE and NOTIFY HTTP packets in traffic; disable UPnP services in IP cameras, printers, routers and other devices on intranets if it’s not a business requirement; and considering not placing unsecured UPnP devices on their network.

“UPnP was effectively designed from the ground up without security,” Craig Young, computer security research for Tripwire Inc.’s vulnerability and exposure research team, told SiliconANGLE. “Although applications can staple on authentication, in most cases all requests from the local network are just trusted.”

What’s worse, he added, is that these devices rarely employ protections against cross-site attacks and a malicious website can leverage UPnP services to manipulate and even compromise remote devices. “The best course of action when it comes to UPnP is to simply turn it off,” he said.

Explaining the technical side, Young said that “the SUBSCRIBE method in UPnP allows nodes on the network to register a URL to receive callbacks as specified conditions are met. The problem described by the CallStranger vulnerability is that this callback URL is not restricted to the local network. An attacker could leverage the millions of UPnP devices improperly connected to quickly direct large volumes of traffic to DDoS targets.”

Photo: Pxhere

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU