Billions of smart home devices open to attack: What to do
Security flaw could let hackers steal data, attack IoT devices
Billions of smart home devices could be susceptible to cyberattacks due to a serious vulnerability discovered in a networking protocol.
The CallStranger vulnerability would let hackers steal user data, scan networks and launch distributed denial-of-service (DDoS) attacks from many Internet of Things (IoT) devices.
- VPN: add a layer of extra protection thanks to a virtual private network
- Best antivirus: stay safer online with watertight virus protection
- Smart TVs, fridges and light bulbs may stop working next year: Here's why
Among the device models confirmed to be vulnerable were the Xbox One, a couple of Samsung smart TVs, several printer models from Canon, Epson and HP, and routers and modems from Broadcom, D-Link and Huawei. The researcher who discovered this flaw also thinks all current builds of Windows 10 may be vulnerable.
Vulnerabilities in more than a dozen other devices are awaiting confirmation.
Discovered by security professional Yunus Çadırcı, the bug affects a networking protocol called Universal Plug and Play (UPnP), which enables consumer devices to easily find and share data with each other on a local network.
According to a dedicated website about CallStranger, the vulnerability is “caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF-like vulnerability which affects millions of Internet facing and billions of LAN devices”.
The website explains how hackers can use the bug to bypass data-loss prevention and network-security devices to exfiltrate data; use millions of Internet-facing UPnP devices to stage amplified reflected DDoS attacks; and scan internal network ports from internet-facing UPnP devices.
Sign up now to get the best Black Friday deals!
Discover the hottest deals, best product picks and the latest tech news from our experts at Tom’s Guide.
The first scenario would affect mainly company networks and other enterprise deployments, but the other two hit the consumer level.
If your smart-home devices were hacked to stage DDoS attacks, your bandwidth would suffer and the devices would probably be left open to other attacks; if your internal network was scanned by an outside attacker, any open port could be used to infect your devices.
Billions of devices potentially affected
Çadırcı estimates that the vulnerability could affect billions of devices as the UPnP vulnerability impacts Windows devices, Xboxes and most TVs and routers.
He went on to explain that as because the CallStranger vulnerability can be exploited for DDoS attacks, botnets may start implementing this new technique by coming after consumer devices.
“Because of the latest UPnP vulnerabilities," Çadırcı wrote, "enterprises blocked Internet exposed UPnP devices so we don't expect to see port scanning from Internet to Intranet but Intranet2Intranet may be an issue”.
Since Çadırcı reported CallStranger last year to the Open Connectivity Foundation, which maintains the UPnP protocol, the foundation has released updates for UPnP.
But he added: "Because this is a protocol vulnerability, it may take a long time for vendors to provide patches.”
How to protect yourself from CallStranger attacks
If you're somewhat tech-savvy, Çadırcı has posted a Python script on GitHub that can be used to scan your local network for vulnerable devices.
But the first thing you should do is going into your home Wi-Fi router's administrative settings and find and disable UPnP. Every decent router should allow you to turn UPnP off -- if yours doesn't, you need a better router.
If you rent your router from your internet service provider, such as the cable company or the local phone company, then call their helpline for assistance in how to disable UPnP on the router.
- Read more: Protection without the cost? Discover the best free VPN
Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!