Posted on June 9, 2020 at 3:48 PM
A new vulnerability known as CallStranger, which is found in a core protocol, has been discovered in roughly all Internet of Things (IoT) devices.
The vulnerability allows hackers to take over smart devices to launch DDoS attacks. The attack may also involve bypassing security solutions to carry out a scan on the internal network of the victim’s device. It eventually grants the attacker complete control of areas they wouldn’t be able to access normally.
The CallStranger security vulnerability is also referred to as CVE-2020-12695.
Presently, there are about 5.45 million devices that run the UPnP feature and are connected to the internet This makes it a noteworthy attack medium for hackers on APTs and IoT botnets.
Vulnerability also affects Universal Plug and Play
A website that tracks the CallStranger vulnerability published a report yesterday that the vulnerability also affects Universal Plug and Play (UPnP), which is a compilation of protocols that ship on several smart devices. The website was created for the sole purpose of providing security information about the CallStranger bug.
The UPnP feature serves as the connecting link between devices on the network. It makes it possible for devices to spot each other on local networks. When the devices identify each other, they can set up a connection between them to exchange configurations, data, and sync their work as well.
The protocol was developed in the 2000s. However, since four years ago, the Open Connectivity Foundation (OCF) has been managing its protocol. The foundation is in charge of standardizing how the feature works across different devices within networks. It’s also responsible for managing what appears in the UPnP protocols.
Technical Details of CallStranger
In December last year, Yunus Cadirci, a security engineer, discovered the vulnerability in this very renowned technology.
Yunus stated that an attacker can deliver TCP packets to remote devices containing malformed callback header value in the SUBSCRIBE function of UPnP.
The malformed header can be exploited to get hold of any smart device that supports the UPnP protocols and left connected over the internet. These smart devices include routers, printers, DVRs, security cameras, and others. As long as they are connected on the internet and they support UPnP protocols, they will be vulnerable, he said.
To orchestrate the CallStranger attack, the attacker can target the internet-facing interface of the device but executes the code on the UPnP function of the device, which operates only on the internally-facing ports in the local area’s network (LAN).
The vulnerability allows hackers to bypass network security
According to Yunus, CallStranger vulnerability could be exploited to bypass network security solutions successfully. They can also scan the internal networks of a company, bypass firewalls, and use it to launch DDoS attacks.
DDoS attack is a clear possibility as the attackers can bounce and amplify TCP traffic on the UPnP-capable device. The attack could also include data theft, where they can steal data from the UPnP-enabled device exposed to the internet.
Patching vulnerability will not come immediately
Yunus reiterated that he had also informed OCF about the vulnerability and provided details to the foundation too. He said OCF updated the UPnP protocols soon after they received his report. The update to the UPnP protocols has since gone live in April. However, Yunus said it could take the protocol vendors a long time to get a patch because of the nature of the vulnerability.
“Because this is a protocol vulnerability, it may take a long time for vendors to provide patches,” he said.
This means that patches for the vulnerability may not come any time soon. Because of that, the researcher has developed a website that contains basic information and advice that would be helpful for enterprises to block any attempts on exploitation.
Also, Yunus developed a Proof-of-concept script. The script can help companies find out whether their smart devices are susceptible to any of the attacks from CallStrager vulnerability.