Friday, January 15, 22:14
Home security CallStranger vulnerability bypasses security solutions and scans LANs

CallStranger vulnerability bypasses security solutions and scans LANs

CallStranger vulnerability

Serious vulnerability was identified in a key protocol found in almost all Internet of Things (IoT) devices. The vulnerability, called CallStranger, allows attackers to invade smart Appliances for the embodiment DDoS attacks but also attacks that bypass systems security to carry out sweeps inside network of a victim. So, the hackers can acquire access in areas that normally should not.

CallStranger vulnerability affects UPnP

CallStranger vulnerability is said to affect it UpnP (Universal Plug and Play), one set of protocols found in most smart Appliances.

UPnP allows devices to "see" each other on LANs and create connections for easy sharing data, configurations etc.

UPnP has been around since the early 2000s, but since 2016, its development has been managed by Open Connectivity Foundation (OCF).

Technical details for CallStranger vulnerability

In December 2019, an engineer security with the name Yunus Çadirci, found an error in this extremely common technology.

Çadirci says an attacker can send TCP packages in a remote device containing incorrectly formatted callback header value in UPnP's SUBSCRIBE function.

This header can be used by malicious people hackers for exploitation of any smart device that remains connected to Internet and supports UPnP protocols (eg security cameras, DVRs, printers, routers and more).

In a CallStranger attack, the intruder targets the device's internet-facing interface, but executes the device's UPnP code, which is usually only executed on internal ports (inside the LAN).

Çadirci says attackers could use CallStranger vulnerability to successfully bypass network security systems and firewalls, to scan the internal networks of a company.

In addition, other attacks may occur, such as: DDoS. This also includes data theft, as the attacker gains access to data of the vulnerable device.

It may take some time to correct the vulnerability

Çadirci said he had informed the OCF of the vulnerability. The company has updated the UpnP protocols. Updates were released on April 17, 2020.

However, Çadirci said: "Because it is a protocol vulnerability, it may take a long time for vendors to provide updates," suggesting that firmware patches may be delayed.

The researcher published a site that contains basic tips on how to businesses they may rule out possible exploitation attempts.

In addition, Çadirci published proof-of-concept scripts which companies can use to determine if their smart devices are vulnerable to CallStranger vulnerability.

CallStranger vulnerability is also called CVE-2020-12695. At the moment there are about 5,45 million UpnP devices connected to the Internet. This means that many hackers will find the vulnerability to attack ideal.


Please enter your comment!
Please enter your name here

Digital Fortress
Digital Fortress
Pursue Your Dreams & Live!


Android: How to see which apps have access to your site

It's no secret that smartphone apps have access to many permissions - if you let them. It is important to make sure ...

Canon lets you take pictures from space

Instead of releasing new cameras for CES 2021, Canon is doing something different: It lets you take pictures from space ....

Wikipedia vs Big tech: Who fights misinformation?

As Election Day turned into US Election Week, Facebook, Twitter and YouTube were trying to prevent ...

Tesla: It is called to recall cars due to problematic screens

The touch screen in some Tesla cars seems to have a problem, which could ...

Ransomware is responsible for half of all data breaches in hospitals

Almost half of the data breaches committed in hospitals and the wider healthcare sector are due to ransomware attacks, ...

Astronomers have just found the oldest oversized black hole

A quasar was discovered in a dark corner of space - over 13,03 billion light-years away - and contains a ...

What are the best and most affordable 5G phones for 2021

The market will soon be flooded with mid-range 5G devices. Everything that happens will be really exciting: you will be able to ...

Verified Twitter accounts in a cryptocurrency scam with the name of Elon Musk violated!

Lately, hackers have been violating verified Twitter accounts in a cryptocurrency giveaway scam, in which the name of the CEO is used ...

Classiscam: Fraudsters "fake" brands and deceive users of European markets!

Dozens of criminal gangs publish fake ads in popular online markets, to attract unsuspecting users to "fraudulent" commercial sites or phishing ...

iOS 14.4: Displays a notification for repairs with non-genuine cameras

Starting with the iPhone 11, Apple has added a notification to iOS that tells the user when the device has a ...