By Matt Cadwell
Is there anything more convenient than Universal Plug and Play, or UPnP?
This protocol allows zero-configuration devices to be on networks and to easily share device configuration data. UPnP announces its presence on the network, shares its name and capabilities to other devices, and as the name suggests is “plug and play”, requiring little to no user configuration.
UPnP is a protocol in devices ranging from printers, Wi-Fi access points, routers, DVRs, security cameras, smart locks and lighting systems to gaming consoles and countless other IoT devices. It is highly likely you have devices on your home network and almost certainly on your corporate network that are using UPnP.
However, this convenience and simplicity comes with a cost as it introduces security concerns. Most notably, UPnP does not require authentication. It assumes that every device on the network is trusted, regardless if it is safe or malicious.
That aspect of UPnP has been criticized since the protocol was introduced 12 years ago; recent news about UPnP has been bad. In December 2019, security researcher Yunus Çadirci discovered a critical security flaw within the UPnP protocol that affects billions of devices, of which an estimated 5.45 million are internet facing.
Cadirci has called this flaw CallStranger; it’s tracked as CVE-2020-12695.
CallStranger allows a remote and unauthenticated user to interact with devices that are supposed to be accessible only inside local networks. One use for the exploit is directing large amounts of junk traffic to destinations of the attacker’s choice. Because the output sent to attacker-designated destinations is much bigger than the request the attacker initiates, CallStranger provides a particularly powerful way to amplify the attacker’s resources. Other capabilities include enumerating all other UPnP devices on the local network and exfiltrating data stored on the network, in some cases even if it’s protected by data loss prevention tools.
The exploit works by abusing the UPnP SUBSCRIBE capability, which devices use to receive notifications from other devices when certain events—such as the playing of a video or music track—happen. Specifically, CallStranger sends subscription requests that forge the URL that’s to receive the resulting “callback.”
To perform DDoS attacks, CallStranger sends a flurry of subscription requests that spoof the address of a third-party site on the Internet. When the attack is performed in unison with other devices, the lengthy callbacks bombard the site with a torrent of junk traffic. In other cases the URL receiving the callback points to a device inside the internal network. The responses can create a condition similar to a server-side request forgery, which allows attackers to hack internal devices that are behind network firewalls.
Çadırcı reported his findings to the Open Connectivity Foundation, which maintains the UPnP protocol, and the foundation has updated the underlying specification to fix the flaw. Users can check with developers and manufacturers to find out if or when a patch will be available. A significant percentage of IoT devices never receive updates from manufacturers, which means the vulnerability will live on for some time to come.
As always, the best defense is to disable UPnP altogether. For those who insist on keeping UPnP turned on, use a router checker site to make sure the router isn't exposing sensitive ports. UPnP users with the experience and capability can also periodically check logs to detect exploits.
You can also reach out to the Security team at LRS IT Solutions; we can help you assess your vulnerability to new threats like CallStranger as well as many other security threats. Fill out the form below to request a consultation.
About the author
Matt Cadwell is an Information Security Architect for LRS IT Solutions. He holds a GPEN certification from Global Information Assurance Certification (GIAC) and is a member of the GIAC Advisory Board. Matt’s IT experience spans government, manufacturing, financial services, and other industries.