Expert Insight On CallStranger Vulnerability Lets Attacks Bypass Security Systems And Scan LANs

A severe vulnerability has been discovered in a core protocol found in almost all internet of things (IoT) devices. The vulnerability, named CallStranger, allows attackers to hijack smart devices for distributed denial of service (DDoS) attacks, but also for attacks that bypass security solutions to reach and conduct scans on a victim’s internal network — effectively granting attackers access to areas where they normally wouldn’t be able to reach.

Experts Comments

June 11, 2020
Bryan Skene
CTO
Tempered
The CallStranger vulnerability highlights the importance of network invisibility and why IoT smart devices are not very “smart” for zero trust network security. Adding TCP/IP packets to remote devices shows the location of ‘things,’ when they should be made invisible to bad actors. In place of this, host identity, not location-based identity is imperative for securing the Internet of Things. Thankfully, there are state-of-the-art network solutions available on the market that do just.....Read More
The CallStranger vulnerability highlights the importance of network invisibility and why IoT smart devices are not very “smart” for zero trust network security. Adding TCP/IP packets to remote devices shows the location of ‘things,’ when they should be made invisible to bad actors. In place of this, host identity, not location-based identity is imperative for securing the Internet of Things. Thankfully, there are state-of-the-art network solutions available on the market that do just that – make your network completely invisible to adversaries and ensure IoT security.  Read Less
June 09, 2020
Craig Young
Principal Security Researcher
Tripwire
As the researcher noted, UPnP was effectively designed from the ground up without security. Although applications can staple on authentication, in most cases all requests from the local network are just trusted. What’s worse is that these devices rarely employ protections against cross-site attacks and, as I’ve shown on several devices, a malicious website can leverage UPnP services to manipulate and even compromise remote devices. The best course of action when it comes to UPnP is to.....Read More
As the researcher noted, UPnP was effectively designed from the ground up without security. Although applications can staple on authentication, in most cases all requests from the local network are just trusted. What’s worse is that these devices rarely employ protections against cross-site attacks and, as I’ve shown on several devices, a malicious website can leverage UPnP services to manipulate and even compromise remote devices. The best course of action when it comes to UPnP is to simply turn it off. The SUBSCRIBE method in UPnP allows nodes on the network to register a URL to receive callbacks as specified conditions are met. The problem described by the CallStranger vulnerability is that this callback URL is not restricted to the local network. An attacker could leverage the millions of UPnP devices improperly connected to quickly direct large volumes of traffic to DDoS targets. In another attack scenario, UPnP SUBSCRIBE requests could be used for data exfiltration. Although the writeup only mentions directly connected attackers, this mode of attack would more likely be useful as part of a malicious cross-site campaign. For example, I’ve repeatedly demonstrated how DNS rebinding (such as via my Dolos tool) commonly allows a malicious website operator to directly communicate with an internal UPnP device. Dolos can scan a network to enumerate available UPnP end-points and then prepare a DNS rebound browser origin from which to send arbitrary UPnP commands like SUBSCRIBE. Depending on the affected device, this kind of attack may reveal next to nothing or it may give detailed information. The best way to thwart this and similar threats is to use a browser or browser plugin with JavaScript firewall support to block connections onto local networks.  Read Less
June 09, 2020
Ilia Kolochenko
Founder and CEO
ImmuniWeb
Modern enterprises are characterized by a skyrocketing complexity of their IT infrastructure that may be dispersed across a hundred of countries and maintained by thousands of third parties. On one side, this makes organizations extremely vulnerable and susceptible to cyber-attacks such as ransomware, which exploit shadow IT devices, unprotected cloud and abandoned servers as an entry point into their victim’s premises. On the other side, however, this convoluted intricacy makes global attack .....Read More
Modern enterprises are characterized by a skyrocketing complexity of their IT infrastructure that may be dispersed across a hundred of countries and maintained by thousands of third parties. On one side, this makes organizations extremely vulnerable and susceptible to cyber-attacks such as ransomware, which exploit shadow IT devices, unprotected cloud and abandoned servers as an entry point into their victim’s premises. On the other side, however, this convoluted intricacy makes global attack virtually impossible, as some disjoint parts of the central system will continue working in isolation. It is nonetheless perfectly possible to identify the “heart and the brain” of the system and target it directly with disastrous consequences. We will likely see professional cyber mercenaries being hired not just for data theft campaigns but for highly destructive and damage-creation hacking campaigns. Amid the political and economic crisis of the unprecedented scale, many unscrupulous organizations and state actors won’t hesitate to crush their rivals by paralyzing their computerized factories, supply management chains and sales points. Given how interconnected our IT infrastructure has become, thanks to the rapid proliferation of IoT devices and connected objects, one wisely prepared attack could swiftly shut down a global company for several weeks or even months. Visibility, inventory and continuous monitoring of your digital assets and data is the key to avoid falling victim to the sophisticated attacks.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Share on facebook
Share on twitter
Share on linkedin

Recent Posts

Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics

Twitter Facebook-f Linkedin Youtube

Working With Us

The Pages

Our Contributing Experts