'CallStranger' Vulnerability Found in Most IoT Devices Gives Cybercriminals Advantages

Researchers warn users about a security vulnerability that may affect billions of IoT (Internet of Things) devices around the world. It is known as the CallStranger vulnerability, and, according to cybersecurity specialists, it can be misused to perform DDoS (Distributed Denial of Service) attacks, scan internal ports, and exfiltrate data. Therefore, users are encouraged to take extra precautions that would prevent hackers from misusing this security vulnerability. If you want to know how you could protect your IoT devices, learn more about this weakness, or find answers to questions like what is a distributed denial of service attack? we invite you to read our full blog post. If there is anything you want to ask about the discussed security vulnerability, keep in mind that you can leave us a message in our comments section.

The CallStranger weakness was discovered by Yunus Çadırcı, a cybersecurity expert at EY Turkey. He found that there is a way to misuse a set of networking protocols that is called UPnP (Universal Plug and Play). It allows networked devices like computers and printers to discover one another on the network. UPnP is used by most IoT devices so that they could exchange configurations and other data as well as work in sync. The protocol is being managed by an organization called OCF (Open Connectivity Foundation) that was informed about the security vulnerability soon after its discovery, which was made at the end of 2019. The organization has informed vendors providing IoT devices that could have the CallStranger vulnerability at the beginning of 2020, but the weakness has not yet been removed completely.

How can hackers misuse the CallStranger security vulnerability?

Specialists say that regular home users are less at risk than various companies and organizations. That is because the vulnerability may allow hackers to bypass security devices and exfiltrate data, and companies often have lots of IoT devices connected to the same network. Thus, targeting them might provide hackers with access to more devices and information.

Nonetheless, cybersecurity specialists believe that no one is safe because cybercriminals might misuse CallStranger not only to exfiltrate data but also to perform DDoS attacks. What is a distributed denial of service attack? It is an attack during which hackers try to make a device or a machine unavailable by flooding it with traffic that it might be unable to handle and, as a result, causing the targeted system's overload. Cybercriminals need to send an enormous number of requests from different devices to make it happened, which they usually do by misusing vulnerable IoT devices connected to the so-called botnet. The worst part is that you might not know if your device is being misused this way.

When will this security vulnerability be removed?

Specialists say that the CallStranger weakness is being removed already. However, the process will be slow since the weakness affects billions of IoT devices, and each of them must receive a firmware update. Not to mention, it will take time for all the providers of such devices to patch the vulnerability and provide the patch to their users. Thus, there is no exact date when we will no longer have to worry about the CallStranger weakness. Until it happens, it is advisable to take extra precautions if you do not want hackers to be able to access your IoT devices.

What can you do to protect your devices from the CallStranger vulnerability?

According to the website dedicated to the CallStranger weakness, regular home users should ask their ISP (Internet Service Provider) if their routers have Internet-facing UPnP with the CallStranger vulnerability. There is no need to disable UPnP on such devices, but users are advised to make sure that their UPnP endpoint is not exposed to the Internet.

What about various companies using IoT devices that could have the discovered security vulnerability? Specialists advise closing UPnP ports to the Internet if possible. Companies that use security devices should block all Subscribe and Notify HTTP packets in ingress and egress traffic as well as configure their DDoS protection devices. Organizations using intranet are advised to disable UPnP services on printers, routers, and other devices, if possible. Lastly, it is advisable to regularly check websites providing information on the security weakness and its removal progress to find out the latest tips and news.

What else can you do to protect your IoT devices?

You might be already tired of hearing this, but it is vital that you use strong passwords everywhere. Meaning, if you own a smart fridge, a printer, or any other device that could be connected to the Internet and so used for DDoS attacks or accessing your other devices, you should set up strong passwords. Keeping devices’ default passwords is the worst thing to do, although using easily guessable combinations is not a huge improvement either. Thus, if you care about your cyber security, we recommend creating passwords from at least 12 characters and containing lower-case and upper-case letters, numbers, and symbols.

You might think that it would be difficult to set up strong passwords for all of your accounts and memorize them too, but, ever since password managers appeared, you no longer have to choose between convenience and security. For instance, a tool like Cyclonis Password Manager can generate and memorize strong passwords for all of your accounts. It can also log you into your accounts automatically. Thus, using a password manager might make things much easier and, most importantly, help you protect your devices and your privacy against hackers. To find out more about how Cyclonis works and what other features it has to offer, read here.

All in all, the CallStranger weakness might not be an issue that could help hackers steal identities. However, if you do not want hackers to misuse your devices for malicious things or access other machines and the information that your devices could provide, it is best to look into the issue and take extra precautions. For more information on the security vulnerability, including the list of devices confirmed to be affected by it, we recommend checking the callstranger.com website.

By Foley
September 28, 2020
Computer Security
English
September 28, 2020
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Malware

5 Security Tips That Will Help You Protect Your IoT Devices

There’s a dark side to anything popular. Anything that grows eventually has to face a number of threats trying to bring it down or exploit it. It seems that the Internet of Things is becoming the next best thing in... Read more

December 6, 2019
Computer Security

1 Billion WI-Fi Connected Devices Are Vulnerable Due to a Security Vulnerability

IoT is the future, or so we're being told all the time - with technology not so much marching, but rather frog leaping into orbit, smart homes and interconnected appliances that you can command at will from your phone... Read more

March 30, 2020
News

A Newly Discovered LTE Vulnerability Makes It Possible to Impersonate Mobile Devices and Their Owners

Onе of the key roles of IT security specialists and researchers nowadays is not only to develop countermeasures to existing threats and attacks but to discover weaknesses in essential IT systems and to take measures... Read more

March 31, 2020
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.