Serious vulnerability was identified in a key protocol found in almost all Internet of Things (IoT) devices. The vulnerability, called CallStranger, allows attackers to invade smart Appliances for the embodiment DDoS attacks but also attacks that bypass systems security to carry out sweeps inside network of a victim. So, the hackers can acquire access in areas that normally should not.
CallStranger vulnerability affects UPnP
CallStranger vulnerability is said to affect it UpnP (Universal Plug and Play), one set of protocols found in most smart Appliances.
UPnP allows devices to "see" each other on LANs and create connections for easy sharing data, configurations etc.
UPnP has been around since the early 2000s, but since 2016, its development has been managed by Open Connectivity Foundation (OCF).
Technical details for CallStranger vulnerability
In December 2019, an engineer security with the name Yunus Çadirci, found an error in this extremely common technology.
Çadirci says an attacker can send TCP packages in a remote device containing incorrectly formatted callback header value in UPnP's SUBSCRIBE function.
This header can be used by malicious people hackers for exploitation of any smart device that remains connected to Internet and supports UPnP protocols (eg security cameras, DVRs, printers, routers and more).
In a CallStranger attack, the intruder targets the device's internet-facing interface, but executes the device's UPnP code, which is usually only executed on internal ports (inside the LAN).
Çadirci says attackers could use CallStranger vulnerability to successfully bypass network security systems and firewalls, to scan the internal networks of a company.
In addition, other attacks may occur, such as: DDoS. This also includes data theft, as the attacker gains access to data of the vulnerable device.
It may take some time to correct the vulnerability
Çadirci said he had informed the OCF of the vulnerability. The company has updated the UpnP protocols. Updates were released on April 17, 2020.
However, Çadirci said: "Because it is a protocol vulnerability, it may take a long time for vendors to provide updates," suggesting that firmware patches may be delayed.
The researcher published a site that contains basic tips on how to businesses they may rule out possible exploitation attempts.
In addition, Çadirci published proof-of-concept scripts which companies can use to determine if their smart devices are vulnerable to CallStranger vulnerability.
CallStranger vulnerability is also called CVE-2020-12695. At the moment there are about 5,45 million UpnP devices connected to the Internet. This means that many hackers will find the vulnerability to attack ideal.