CallStranger - This Plug and Play Vulnerability Allows Security System Bypass and LAN Scanning

Universal Plug and Play (UPnP) is a set of networking protocols that allow the sharing of data over networks, but it also often exposes the data due to several security vulnerabilities. One such recent vulnerability has been recently identified, which could impact billions of IoT devices.

The CallStranger UPnP vulnerability 

  • In June 2020, a vulnerability dubbed CallStranger was disclosed, that exists in the core protocol Universal Plug and Play (UPnP), used in billions of IoT devices.
  • Tracked as CVE-2020-12695, this vulnerability was first identified in December 2019 by the security researcher named Yunus Çadirci. It can be exploited to send traffic to arbitrary destination systems, by using the SUBSCRIBE functionality.
  • This can allow a hacker to hijack smart devices for DDoS attacks, as well as he can bypass DLP and network security devices to exfiltrate data.

Risks to the security with UPnP

Hackers have been exploiting the UPnP vulnerabilities in the past as well. Although, most of the previous attacks were not malicious, as they did not attempt to steal data or directly damage the devices, but were limited to causing Denial-of-Service attacks on corporate networks. Here are some notable vulnerabilities related to UPnP.
  • In May 2019, a UPnP vulnerability was found in D-Link DCS 2132L cloud cameras, due to which it could set port forwarding to itself. This could expose its HTTP interface on port 80 to the internet, even without the user’s consent, thus leaking sensitive data.
  • In April 2019, an updated Bashlite malware was observed, designed to target IoT devices via WeMo UPnP APIs, impacting a wide range of devices including internet-connected cameras, electrical plugs, light switches, bulbs and motion sensors.

Safety Tips

The CallStranger is a protocol-level vulnerability, and it is expected to take some time before vendors provide the patches.
  • Users can use the vulnerability checker provided by the security researcher to test their devices.
  • In case devices are vulnerable, users can avoid port forward to UPnP endpoints.
  • ISP’s can block access to unused UPnP Control & Eventing ports, and reconfigure CPE's with help of TR-069.