Beware! CallStranger vulnerability has the potential to launch a major DDoS attack.
A brand-new vulnerability in UPnP (Universal Plug and Play) is responsible for affecting billions of devices. Furthermore, the vulnerability can be misused by threat actors to carry out various types of malicious activities, such as data exfiltration and DDoS or distributed denial-of-service attacks. CallStranger is a vulnerability that enables threat actors to smartly takeover devices for DDoS attacks. Additionally, this vulnerability allows attacks that evade security solutions and carry out scans on the target’s internal network and successfully grants attackers access to areas that generally are prohibited to them.
Impact on UPnP
Engineered to carry out automatic discovery and interaction with devices on a network, UPnP protocol is deployed with authentic LANs (Local area networks), as it does not have any kind of verification or authentication.
An abbreviated version of Universal Plug and Play, UPnP is a collection of protocols that is a core element of most smart and IoT devices.
A website focused on CallStranger vulnerability mentions that the bug affects the UPnP features. Technically, the UPnP functionality enables devices to see each other on local networks and then facilitates the establishment of connection for a smooth exchange of data and configurations.
Technical aspects of CallStranger
Back in December 2019, Yunus Çadırcı, a security engineer, discovered a bug in the UPnP technology. He explained that an attacker can send TCP (Transmission control protocol) packets to a remote device that contains a malformed callback header value in UPnP’s SUBSCRIBE function.
Threat actors can easily abuse the malformed header and exploit any smart device that has been left connected to the internet that supports UPnP protocols. For example, DVRs, routers, security cameras, and more.
In a detailed CallStranger attack, the threat actor plays with the device’s internet-facing interface. However, he executes the code on the UPnP function that often is only performed on the internally facing ports (inside the LAN).