Vulnerability makes devices with upnp integration insecure
A vulnerability in the upnp protocol makes it possible to steal information from iot devices and use it for ddos botnets. The vulnerability in Universal Plug and Play is called CallStranger and makes devices vulnerable if the feature is enabled.
CallStranger makes it possible to attack devices with upnp integration if that feature is on. Upnp is on Windows machines, Xbox consoles, TVs and routers, but is also used by many iot devices. Upnp is basically intended for local use on a trusted network, as there is no authentication on the protocol. With CallStranger, someone can attack a device that has upnp enabled from a distance. According to Shodan, there are currently 5.5 million devices that have the feature set up like this.
The vulnerability was discovered by security researcher Yunus Çadirci. He discovered the vulnerability in the Universal Plug and Play protocol or upnp last year. Çadirci calls the leak CallStranger, although it is now also known as CVE-2020-12695.
The vulnerability is in upnp’s subscribe function, and specifically in the callback headers within it. Çadirci says it is possible to send a tcp packet to a device to manipulate the connection. That way, an attacker can perform a tcp-ddos attack by adding the devices to a botnet. Çadirci himself says that data theft is the biggest risk of the vulnerability. The data can be read from the device that supports upnp. An attacker can also scan internal ports on the network via the vulnerability.
Çadirci has created a proof-of-concept that allows IoT device users to see if their device is vulnerable. Çadirci reported the leak last year to the Open Connectivity Foundation, the foundation that manages the upnp protocol. It has now released a fix, but it is very dependent on individual suppliers when it is implemented. Incidentally, not all upnp stacks are vulnerable. Çadirci says, for example, mini-upnp is not susceptible to the leak.