A severe vulnerability has been discovered in a core protocol found in almost all internet of things (IoT) devices. The vulnerability, named CallStranger, allows attackers to hijack smart devices for distributed denial of service (DDoS) attacks, but also for attacks that bypass security solutions to reach and conduct scans on a victim’s internal network — effectively granting attackers access to areas where they normally wouldn’t be able to reach.
The CallStranger vulnerability allows attackers to use the Universal Plug & Play (UPnP) protocol to DDOS & port scan. Numerous devices have UPnP & need to be updated; until your device is updated to address CallStranger disable UPnP, especially on routers.https://t.co/silbgb3tp6
— Koroush Ghazi (@KoroushGhazi) June 9, 2020
The CallStranger vulnerability highlights the importance of network invisibility and why IoT smart devices are not very “smart” for zero trust network security. Adding TCP/IP packets to remote devices shows the location of ‘things,’ when they should be made invisible to bad actors. In place of this, host identity, not location-based identity is imperative for securing the Internet of Things. Thankfully, there are state-of-the-art network solutions available on the market that do just that – make your network completely invisible to adversaries and ensure IoT security.
As the researcher noted, UPnP was effectively designed from the ground up without security. Although applications can staple on authentication, in most cases all requests from the local network are just trusted. What’s worse is that these devices rarely employ protections against cross-site attacks and, as I’ve shown on several devices, a malicious website can leverage UPnP services to manipulate and even compromise remote devices. The best course of action when it comes to UPnP is to simply turn it off.
The SUBSCRIBE method in UPnP allows nodes on the network to register a URL to receive callbacks as specified conditions are met. The problem described by the CallStranger vulnerability is that this callback URL is not restricted to the local network. An attacker could leverage the millions of UPnP devices improperly connected to quickly direct large volumes of traffic to DDoS targets.
In another attack scenario, UPnP SUBSCRIBE requests could be used for data exfiltration. Although the writeup only mentions directly connected attackers, this mode of attack would more likely be useful as part of a malicious cross-site campaign. For example, I’ve repeatedly demonstrated how DNS rebinding (such as via my Dolos tool) commonly allows a malicious website operator to directly communicate with an internal UPnP device. Dolos can scan a network to enumerate available UPnP end-points and then prepare a DNS rebound browser origin from which to send arbitrary UPnP commands like SUBSCRIBE. Depending on the affected device, this kind of attack may reveal next to nothing or it may give detailed information. The best way to thwart this and similar threats is to use a browser or browser plugin with JavaScript firewall support to block connections onto local networks.
Modern enterprises are characterized by a skyrocketing complexity of their IT infrastructure that may be dispersed across a hundred of countries and maintained by thousands of third parties. On one side, this makes organizations extremely vulnerable and susceptible to cyber-attacks such as ransomware, which exploit shadow IT devices, unprotected cloud and abandoned servers as an entry point into their victim’s premises. On the other side, however, this convoluted intricacy makes global attack virtually impossible, as some disjoint parts of the central system will continue working in isolation. It is nonetheless perfectly possible to identify the “heart and the brain” of the system and target it directly with disastrous consequences.
We will likely see professional cyber mercenaries being hired not just for data theft campaigns but for highly destructive and damage-creation hacking campaigns. Amid the political and economic crisis of the unprecedented scale, many unscrupulous organizations and state actors won’t hesitate to crush their rivals by paralyzing their computerized factories, supply management chains and sales points. Given how interconnected our IT infrastructure has become, thanks to the rapid proliferation of IoT devices and connected objects, one wisely prepared attack could swiftly shut down a global company for several weeks or even months. Visibility, inventory and continuous monitoring of your digital assets and data is the key to avoid falling victim to the sophisticated attacks.