CallStranger - This Plug and Play Vulnerability Allows Security System Bypass and LAN Scanning

The CallStranger UPnP vulnerability 

• In June 2020, a vulnerability dubbed CallStranger was disclosed, that exists in the core protocol Universal Plug and Play (UPnP), used in billions of IoT devices.
• Tracked as CVE-2020-12695, this vulnerability was first identified in December 2019 by the security researcher named Yunus Çadirci. It can be exploited to send traffic to arbitrary destination systems, by using the SUBSCRIBE functionality.
• This can allow a hacker to hijack smart devices for DDoS attacks, as well as he can bypass DLP and network security devices to exfiltrate data.

Risks to the security with UPnP

• In May 2019, a UPnP vulnerability was found in D-Link DCS 2132L cloud cameras, due to which it could set port forwarding to itself. This could expose its HTTP interface on port 80 to the internet, even without the user’s consent, thus leaking sensitive data.
• In April 2019, an updated Bashlite malware was observed, designed to target IoT devices via WeMo UPnP APIs, impacting a wide range of devices including internet-connected cameras, electrical plugs, light switches, bulbs and motion sensors.

Safety Tips

• Users can use the vulnerability checker provided by the security researcher to test their devices.
• In case devices are vulnerable, users can avoid port forward to UPnP endpoints.
• ISP’s can block access to unused UPnP Control & Eventing ports, and reconfigure CPE's with help of TR-069.