'CallStranger' Vulnerability Found in Most IoT Devices Gives Cybercriminals Advantages

Researchers warn users about a security vulnerability that may affect billions of IoT (Internet of Things) devices around the world. It is known as the CallStranger vulnerability, and, according to cybersecurity specialists, it can be misused to perform DDoS (Distributed Denial of Service) attacks, scan internal ports, and exfiltrate data. Therefore, users are encouraged to take extra precautions that would prevent hackers from misusing this security vulnerability. If you want to know how you could protect your IoT devices, learn more about this weakness, or find answers to questions like what is a distributed denial of service attack? we invite you to read our full blog post. If there is anything you want to ask about the discussed security vulnerability, keep in mind that you can leave us a message in our comments section.

The CallStranger weakness was discovered by Yunus Çadırcı, a cybersecurity expert at EY Turkey. He found that there is a way to misuse a set of networking protocols that is called UPnP (Universal Plug and Play). It allows networked devices like computers and printers to discover one another on the network. UPnP is used by most IoT devices so that they could exchange configurations and other data as well as work in sync. The protocol is being managed by an organization called OCF (Open Connectivity Foundation) that was informed about the security vulnerability soon after its discovery, which was made at the end of 2019. The organization has informed vendors providing IoT devices that could have the CallStranger vulnerability at the beginning of 2020, but the weakness has not yet been removed completely.

How can hackers misuse the CallStranger security vulnerability?

Specialists say that regular home users are less at risk than various companies and organizations. That is because the vulnerability may allow hackers to bypass security devices and exfiltrate data, and companies often have lots of IoT devices connected to the same network. Thus, targeting them might provide hackers with access to more devices and information.

Nonetheless, cybersecurity specialists believe that no one is safe because cybercriminals might misuse CallStranger not only to exfiltrate data but also to perform DDoS attacks. What is a distributed denial of service attack? It is an attack during which hackers try to make a device or a machine unavailable by flooding it with traffic that it might be unable to handle and, as a result, causing the targeted system's overload. Cybercriminals need to send an enormous number of requests from different devices to make it happened, which they usually do by misusing vulnerable IoT devices connected to the so-called botnet. The worst part is that you might not know if your device is being misused this way.

When will this security vulnerability be removed?

Specialists say that the CallStranger weakness is being removed already. However, the process will be slow since the weakness affects billions of IoT devices, and each of them must receive a firmware update. Not to mention, it will take time for all the providers of such devices to patch the vulnerability and provide the patch to their users. Thus, there is no exact date when we will no longer have to worry about the CallStranger weakness. Until it happens, it is advisable to take extra precautions if you do not want hackers to be able to access your IoT devices.

What can you do to protect your devices from the CallStranger vulnerability?

According to the website dedicated to the CallStranger weakness, regular home users should ask their ISP (Internet Service Provider) if their routers have Internet-facing UPnP with the CallStranger vulnerability. There is no need to disable UPnP on such devices, but users are advised to make sure that their UPnP endpoint is not exposed to the Internet.

What about various companies using IoT devices that could have the discovered security vulnerability? Specialists advise closing UPnP ports to the Internet if possible. Companies that use security devices should block all Subscribe and Notify HTTP packets in ingress and egress traffic as well as configure their DDoS protection devices. Organizations using intranet are advised to disable UPnP services on printers, routers, and other devices, if possible. Lastly, it is advisable to regularly check websites providing information on the security weakness and its removal progress to find out the latest tips and news.

What else can you do to protect your IoT devices?

You might be already tired of hearing this, but it is vital that you use strong passwords everywhere. Meaning, if you own a smart fridge, a printer, or any other device that could be connected to the Internet and so used for DDoS attacks or accessing your other devices, you should set up strong passwords. Keeping devices’ default passwords is the worst thing to do, although using easily guessable combinations is not a huge improvement either. Thus, if you care about your cyber security, we recommend creating passwords from at least 12 characters and containing lower-case and upper-case letters, numbers, and symbols.

You might think that it would be difficult to set up strong passwords for all of your accounts and memorize them too, but, ever since password managers appeared, you no longer have to choose between convenience and security. For instance, a tool like Cyclonis Password Manager can generate and memorize strong passwords for all of your accounts. It can also log you into your accounts automatically. Thus, using a password manager might make things much easier and, most importantly, help you protect your devices and your privacy against hackers. To find out more about how Cyclonis works and what other features it has to offer, read here.

All in all, the CallStranger weakness might not be an issue that could help hackers steal identities. However, if you do not want hackers to misuse your devices for malicious things or access other machines and the information that your devices could provide, it is best to look into the issue and take extra precautions. For more information on the security vulnerability, including the list of devices confirmed to be affected by it, we recommend checking the callstranger.com website.

September 28, 2020