The vulnerability, called CallStranger, affects UPnP, which stands for Universal Plug and Play, where certain protocols are required for almost all IoT devices to work in harmony with each other. The vulnerability allows attackers to hijack IoT devices for DDoS (Distributed Denial of Service) attacks, giving them easy access that they wouldn't normally be able to access.
What is UPnP?
The UPnP feature allows devices to automatically see each other in local networks, easily exchange data, establish connections for configurations and even work in sync.
UPnP has been around since the early 2000s, but since 2016 the development, standardization and control of this structure has been managed by the OCF (Open Connectivity Foundation).
The vulnerability found in the UPnP SUBSCRIBE feature found by Security Engineer Yunus Çadırcı in December 2019; allows the attacker to send large amounts of data to arbitrary targets accessible over the Internet. This can lead to Distributed Denial of Service (DDoS), data leakage, and other unexpected network behavior.
The discovered vulnerability affects Asus, Belkin, Broadcom, Cisco, Dell, D-Link, Huawei, Netgear, Samsung, TP-Link, ZTE and possibly Windows PCs, game consoles, TVs and routers.
As a solution
- Vendors should implement the updated UPnP SUBSCRIBE specifications provided by OCF.
- The UPnP protocol can be disabled on internet-accessible interfaces.
- Device manufacturers should disable UPnP SUBSCRIBE in default configurations and ensure user consent is required to enable SUBSCRIBE - with appropriate network restrictions.
Source:
https://kb.cert.org/vuls/id/339275
