Millions of routers, printers, and other devices can be remotely commandeered by a new attack that exploits a security flaw in the Universal Plug and Play network protocol, a researcher said.
CallStranger, as the exploit has been named, is most useful for forcing large numbers of devices to participate in distributed denial of service—or DDoS—attacks that overwhelm third-party targets with junk traffic. CallStranger can also be used to exfiltrate data inside networks even when they’re protected by data loss prevention tools that are designed to prevent such attacks. The exploit also allows attackers to scan internal ports that would otherwise be invisible because they’re not exposed to the Internet.
Billions of routers and other so-called Internet-of-things devices are susceptible to CallStranger, Yunus Çadırcı, a Turkish researcher who discovered the vulnerability and wrote the proof-of-concept attack code that exploits it, wrote over the weekend. For the exploit to actually work, however, a vulnerable device must have UPnP, as the protocol is known, exposed on the Internet. That constraint means only a fraction of vulnerable devices are actually exploitable.
Still unsafe after all these years
The 12-year-old UPnP protocol simplifies the task of connecting devices by allowing them to automatically find each other over a network. It does this by using the HTTP, SOAP, and XML protocols to advertise themselves and discover other devices over networks that use the Internet Protocol.
While the automation can remove the hassle of manually opening specific network ports that different devices use to communicate, UPnP over the years has opened users to a variety of attacks. In 2013, an Internet-wide scan found that UPnP was making more than 81 million devices visible to people outside the local networks. The finding was a surprise because the protocol isn’t supposed to communicate with outside devices. The exposure was largely the result of several common code libraries that monitored all interfaces for User Datagram Protocol packets even if configured to listen only on internal ones.
In November 2018, researchers detected two in-the-wild attacks that targeted devices using UPnP. One used a buggy UPnP implementation in Broadcom chips to wrangle 100,000 routers into a botnet. The other, used against 45,000 routers, exploited flaws in a different UPnP implementation to open ports that were instrumental in spreading EternalRed and EternalBlue, the potent Windows attack that was developed by and later stolen from the NSA.
Subscribe now
CallStranger allows a remote and unauthenticated user to interact with devices that are supposed to be accessible only inside local networks. One use for the exploit is directing large amounts of junk traffic to destinations of the attacker’s choice. Because the output sent to attacker-designated destinations is much bigger than the request the attacker initiates, CallStranger provides a particularly powerful way to amplify the attacker’s resources. Other capabilities include enumerating all other UPnP devices on the local network and exfiltrating data stored on the network, in some cases even if it’s protected by data loss prevention tools.
The vulnerability is tracked as CVE-2020-12695, and advisories are here and here. Çadırcı posted a PoC script that demonstrates the capabilities of CallStranger here.
The exploit works by abusing the UPnP SUBSCRIBE capability, which devices use to receive notifications from other devices when certain events—such as the playing of a video or music track—happen. Specifically, CallStranger sends subscription requests that forge the URL that’s to receive the resulting “callback.”
To perform DDoSes, CallStranger sends a flurry of subscription requests that spoof the address of a third-party site on the Internet. When the attack is performed in unison with other devices, the lengthy callbacks bombard the site with a torrent of junk traffic. In other cases the URL receiving the callback points to a device inside the internal network. The responses can create a condition similar to a server-side request forgery, which allows attackers to hack internal devices that are behind network firewalls.
Devices that Çadırcı has confirmed to be vulnerable are:
- Windows 10 (Probably all Windows versions including servers) – upnphost.dll 10.0.18362.719
- Xbox One- OS Version 10.0.19041.2494
- ADB TNR-5720SX Box (TNR-5720SX/v16.4-rc-371-gf5e2289 UPnP/1.0 BH-upnpdev/2.0)
- Asus ASUS Media Streamer
- Asus Rt-N11
- BelkinWeMo
- Broadcom ADSL Modems
- Canon SELPHY CP1200 Printer
- Cisco X1000 – (LINUX/2.4 UPnP/1.0 BRCM400/1.0)
- Cisco X3500 – (LINUX/2.4 UPnP/1.0 BRCM400/1.0)
- D-Link DVG-N5412SP WPS Router (OS 1.0 UPnP/1.0 Realtek/V1.3)
- EPSON EP, EW, XP Series (EPSON_Linux UPnP/1.0 Epson UPnP SDK/1.0)
- HP Deskjet, Photosmart, Officejet ENVY Series (POSIX, UPnP/1.0, Intel MicroStack/1.0.1347)
- Huawei HG255s Router – Firmware HG255sC163B03 (ATP UPnP Core)
- NEC AccessTechnica WR8165N Router ( OS 1.0 UPnP/1.0 Realtek/V1.3)
- Philips 2k14MTK TV- Firmware TPL161E_012.003.039.001
- Samsung UE55MU7000 TV – FirmwareT-KTMDEUC-1280.5, BT – S
- Samsung MU8000 TV
- TP-Link TL-WA801ND (Linux/2.6.36, UPnP/1.0, Portable SDK for UPnP devices/1.6.19)
- Trendnet TV-IP551W (OS 1.0 UPnP/1.0 Realtek/V1.3)
- Zyxel VMG8324-B10A (LINUX/2.6 UPnP/1.0 BRCM400-UPnP/1.0)
Çadırcı reported his findings to the Open Connectivity Foundation, which maintains the UPnP protocol, and the foundation has updated the underlying specification to fix the flaw. Users can check with developers and manufacturers to find out if or when a patch will be available. A significant percentage of IoT devices never receive updates from manufacturers, which means the vulnerability will live on for some time to come.
As always, the best defense is to ensure devices don’t have UPnP exposed to the Internet. UPnP users with the experience and capability can also periodically check logs to detect exploits.