CYBER NEWS

CVE-2020-12695: Severe CallStranger Bug in Most IoT Devices


A severe vulnerability, known under the CVE-2020-12695, has been discovered in a core protocol in nearly all IoT devices – the Universal Plug and Play (UPnP) protocol.

The flaw, dubbed CallStranger could allow attackers to take over IoT devices in DDoS attacks. The flaw could be exploited in other types of attacks, where security solutions are bypassed and internal networks are reached.




What is the The UPnP Protocol?

As explained by the Open Connectivity Foundation (OCF), this protocol is designed to provide automatic discovery and interaction with devices on a network. The protocol can be utilized in a trusted local area network (LAN), and it does not implement any form of authentication or verification.

More about the CallStranger Vulnerability (CVE-2020-12695)

According to the official advisory, “a vulnerability in the UPnP SUBSCRIBE capability permits an attacker to send large amounts of data to arbitrary destinations accessible over the Internet, which could lead to a Distributed Denial of Service (DDoS), data exfiltration, and other unexpected network behavior”.

Related:
A new security analysis shows that the popular LoRaWAN IoT protocol can be easily hacked thus exposing the security of the network of devices
LoRaWAN IoT Protocol Can Be Easily Hacked According to New Research

Most internet-connected devices support the UPnP protocol, which means that a large number of devices is at risk. “Although offering UPnP services on the Internet is generally considered to be a misconfiguration, a number of devices are still available over the Internet according to a recent Shodan scan,” the security advisory points out.

The CVE-2020-12695 vulnerability in the UPnP SUBSCRIBE capability could allow an attacker to send large amounts of data to arbitrary destinations accessible over the Internet. This could then lead to DDoS attacks, data exfiltration, and other forms of unexpected network behavior.

Mitigations against CVE-2020-12695

Vendors should be quick to implement the updated specification provided by the OCF. Owners of IoT devices, on the other hand, should keep an eye on vendor support channels for updates that implement the new SUBSCRIBE specification.

Another security recommendation is to disable the UPnP protocol on Internet-accessible interfaces. Device manufacturers should disable the UPnP SUBSCRIBE capability in their default configuration. Users are advised to “explicitly enable SUBSCRIBE with any appropriate network restrictions to limit its usage to a trusted local area network“.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...