Billions of smart home devices could be susceptible to cyberattacks due to a serious vulnerability discovered in a networking protocol.
The CallStranger vulnerability would let hackers steal user data, scan networks and launch distributed denial-of-service (DDoS) attacks from many Internet of Things (IoT) devices.
Discovered by security professional Yunus Çadırcı, the bug affects a networking protocol called Universal Plug and Play (UPnP), which enables consumer devices to easily find and share data with each other on a local network.
According to a dedicated website about CallStranger, the vulnerability is “caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF-like vulnerability which affects millions of Internet facing and billions of LAN devices”.
The website explains how hackers can use the bug to bypass data-loss prevention and network-security devices to exfiltrate data; use millions of Internet-facing UPnP devices to stage amplified reflected DDoS attacks; and scan internal network ports from internet-facing UPnP devices.
The first scenario would affect mainly company networks and other enterprise deployments, but the other two hit the consumer level.
If your smart-home devices were hacked to stage DDoS attacks, your bandwidth would suffer and the devices would probably be left open to other attacks; if your internal network was scanned by an outside attacker, any open port could be used to infect your devices.
Billions of devices potentially affected
Çadırcı estimates that the vulnerability could affect billions of devices as the UPnP vulnerability impacts Windows devices, Xboxes and most TVs and routers.
He went on to explain that as because the CallStranger vulnerability can be exploited for DDoS attacks, botnets may start implementing this new technique by coming after consumer devices.
“Because of the latest UPnP vulnerabilities,” Çadırcı wrote, “enterprises blocked Internet exposed UPnP devices so we don’t expect to see port scanning from Internet to Intranet but Intranet2Intranet may be an issue”.
Since Çadırcı reported CallStranger last year to the Open Connectivity Foundation, which maintains the UPnP protocol, the foundation has released updates for UPnP.
But he added: “Because this is a protocol vulnerability, it may take a long time for vendors to provide patches.”
How to protect yourself from CallStranger attacks
If you’re somewhat tech-savvy, Çadırcı has posted a Python script on GitHub that can be used to scan your local network for vulnerable devices.
But the first thing you should do is going into your home Wi-Fi router’s administrative settings and find and disable UPnP. Every decent router should allow you to turn UPnP off — if yours doesn’t, you need a better router.
If you rent your router from your internet service provider, such as the cable company or the local phone company, then call their helpline for assistance in how to disable UPnP on the router.