Once again, a security flaw has surfaced online threatening Internet-of-Things (IoT) devices. Dubbed as CallStranger, the vulnerability allows evading security measures to hijack smart devices.
CallStranger Vulnerability Threatening IoT
Reportedly, a security researcher Yunus Çadırcı has caught a serious security flaw affecting smart devices. With a dedicated website, the researcher has shared the details about the CallStranger vulnerability targeting IoT devices.
As revealed, the vulnerability resembles SSRF and affects Universal Plug and Play (UPnP) devices allowing hackers to take control of the devices. In a worst-case scenario, exploiting this flaw may lead to code execution as well. As stated on the website,
The vulnerability – CallStranger – is caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF-like vulnerability which affects millions of Internet facing and billions of LAN devices.
UPnP protocol facilitates devices to interact on a network without requiring authentication. While it supports smooth connectivity, it also remains vulnerable to cyber-attacks if exposed to the internet.
Since the bug affects Windows, smart TVs, Xbox, and most routers, it potentially puts billions of devices at risk globally.
This vulnerability, CVE-2020-12695, allows an attacker to evade security checks and firewalls and takeover internal network of the target firm.
Besides code execution, exploiting the vulnerability may also trigger DDoS. Hence, the researchers fear that cybercriminals may also exploit the bug to target end-user devices and develop botnets.
The researcher has shared the details about the exploit and the proof of concept on GitHub. Whereas a detailed list of all affected devices is also available on the CallStranger webpage.
What Next?
The researcher discovered the bug and contacted the Open Connectivity Foundation (OCF) in late 2019. While, initially, OCF didn’t recognize this vulnerability as an issue. However, further discussions made them realize the severity of the matter.
Eventually, OCF patched the vulnerability in the UPnP protocol in March 2020. However, it took time for some device vendors to release the fixes.
Now, it is up to the users to make sure to update their respective devices at the earliest. Although, the bug does not pose a severe threat to home users besides the DDoS attack. Yet, the overall impact may be crucial.
Besides, enterprise users may implement the mitigations advised by the researcher, until patches are available for their devices.
Let us know your thoughts in the comments.