UPDATED 22:19 EDT / JUNE 08 2020

SECURITY

CallStranger vulnerability in UPnP devices opens the door to data theft

A vulnerability found in billions of Universal Plug and Play devices allows attackers to steal data, scan networks and potentially cause a network to participate in the distributed denial-of-service attack.

Dubbed CallStranger, the vulnerability was discovered by security researcher Yunus Çadirci in December and detailed on a new site dedicated to the vulnerability launched today.

The vulnerability can be used to target any UPnP device, though home users are not expected to be targeted directly. Internet service providers are particularly at risk, along with enterprises.

The CallStranger site recommends that ISPs ask vendors to update devices open to the vulnerability, while device vendors should patch devices if they have not done so already. The site recommends that enterprises should take their own actions, including a variety of mitigation actions depending on their circumstances. Recommended actions include closing UPnP ports is there is no business need; blocking all SUBSCRIBE and NOTIFY HTTP packets in traffic; disable UPnP services in IP cameras, printers, routers and other devices on intranets if it’s not a business requirement; and considering not placing unsecured UPnP devices on their network.

“UPnP was effectively designed from the ground up without security,” Craig Young, computer security research for Tripwire Inc.’s vulnerability and exposure research team, told SiliconANGLE. “Although applications can staple on authentication, in most cases all requests from the local network are just trusted.”

What’s worse, he added, is that these devices rarely employ protections against cross-site attacks and a malicious website can leverage UPnP services to manipulate and even compromise remote devices. “The best course of action when it comes to UPnP is to simply turn it off,” he said.

Explaining the technical side, Young said that “the SUBSCRIBE method in UPnP allows nodes on the network to register a URL to receive callbacks as specified conditions are met. The problem described by the CallStranger vulnerability is that this callback URL is not restricted to the local network. An attacker could leverage the millions of UPnP devices improperly connected to quickly direct large volumes of traffic to DDoS targets.”

Photo: Pxhere

A message from John Furrier, co-founder of SiliconANGLE:

Support our open free content by sharing and engaging with our content and community.

Join theCUBE Alumni Trust Network

Where Technology Leaders Connect, Share Intelligence & Create Opportunities

11.4k+  
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+ 
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.

SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.