Millions Of Connected Devices Vulnerable To CallStranger UPnP Network Security Flaw

IoT Map
Game consoles like the Xbox One, along with Windows PCs, routers, smart TVs, and more have been found to be vulnerable to a Universal Plug and Play (UPnP) security flaw affecting millions of connected devices (and billions of devices overall), a researcher warns. The exploit is called CallStranger, and if leveraged, could be used to initiate distributed denial of service (DDoS) attacks.

"The CallStranger vulnerability that is found in billions of UPnP devices can be used to exfiltrate data (even if you have proper DLP/border security means) or scan your network or even cause your network to participate in a DDoS attack. The vulnerability—CallStranger—is caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF-like vulnerability which affects millions of Internet facing and billions of LAN devices," the researcher explains.

Creating botnets by leveraging thousands or even millions of Internet of Things (IoT) devices and other connected hardware is a persistent threat in the online era. Sometimes it is because IoT devices ship with weak default login credentials. In cases like this, however, it is due to the UPnP protocol. This also limits the actual reach of the flaw.

Since CallStranger requires that a connected device must have UPnP exposed to the Internet for this exploit to work, the actual number of vulnerable devices is much smaller than the theoretical estimates provided by Yunus Çadırcı, the Turkish research who discovered the bug and coded a proof-of-concept (PoC) attack.

The UPnP protocol is over a decade old. It makes finding devices on a network easy and automatic, with little-to-no fuss on the part of the end users. All kinds of devices use UPnP, everything from smart speakers to smart home surveillance. Without UPnP, users would have to manually open network ports to allow devices to communicate with one another.

However, there is a cost to the convenience afforded by UPnP. Attackers have used flaws in UPnP to orchestrate large scale hacks, like the Mirai botnet and Quakbot banking trojan.

CallStranger works by leveraging the UPnP SUBSCRIBE capability that devices use to receive notifications from other gadgets in certain situations. This effectively allows an attacker to maneuver around network security defenses, including firewalls.

Çadırcı reported his findings to the Open Connectivity Foundation (OCF) last year, which is the organization overseeing UPnP development. There is a patch available to vendors, but it could take some time for them to update their devices. As always, make sure to regularly check for updates for your hardware.