A new vulnerability named 'CallStranger' is making the rounds in the IoT world, illustrating the dire security issues that users confront every day. The vulnerability is also a perfect example of why dedicated IoT security measures are needed to cover the gaps left by manufacturers.
Leonard Cohen and cybersecurity have little in common, but his lyrics perfectly illustrate a point that's always true, but not usually voiced. "There is a crack in everything, that's how the light gets in" is now a cliché, but the corollary applies perfectly to the IoT ecosystem: "There's always a crack."
The unfortunate truth is that devices and software always have vulnerabilities, while others are still waiting to be discovered and exploited. An unbreachable device is a nice concept, but that's not how things work in the real world. Hackers often find vulnerabilities in the most unlikely places. If we're lucky, they’re white hat hackers and they notify the manufacturers, giving them time to issue patches.
In the worst-case scenario, vulnerabilities remain hidden for years. And when they are discovered, they affect so many generations of devices that it becomes impossible to count the affected hardware.
CallStranger will be here for a long time
Because of the large number of devices affected by CallStranger, the vulnerability will be with us for years. Manufacturers won't issue patches for devices they no longer support. Many users will never update their devices, and there's a good chance that people are still using devices made by companies that don't exist anymore.
CallStranger is a vulnerability in the Universal Plug and Play (UPnP) protocol, which allows devices to communicate with each other when they are in the same network. Since the protocol is meant for closed, trusted networks, it has no authentication process.
Some devices, such as routers, usually arrive with the protocol turned Off, leaving users with the option to enable it. But smart TVs, for example, are going to ship with it turned On. The advisory posted by YunusÇadırcı, the security researcher who identified the problem, explains how it works:
"Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF-like vulnerability which affects millions of Internet facing and billions of LAN devices."
While the vulnerability is serious, the danger it poses doesn't come from remote code execution. The biggest CallStranger risk comes from possible data exfiltration, and the researcher believes that, once the vulnerability was revealed, it's going to be used in DDoS attacks and implemented as a new technique by bad actors.
ISPs are in the crossfire, again
UPnP is managed by the Open Connectivity Foundation, which already updated the technology stack to include a fix. But there's a long way between a fix from the Open Connectivity Foundation and a patch issued by manufacturers, if they ever issue one.
The protocol is used in lots of devices, including IP cameras, printers and routers. This last category is the most important because routers are gateways for our homes and businesses, making them especially sensitive to potential vulnerabilities.
Some device vendors named in the CallStranger advisory have issued or are in the process of issuing a patch, but we mustn't forget that one of the biggest customers for router vendors are ISPs that often provide their users with customized solutions.
Regular users will only have to check with their router vendor if a patch is available, and install it as quickly as possible. But what happens with ISPs that depend on other vendors, and how will they push those patches to their consumers?
Such vulnerabilities leave the ISP in a very precarious position. They risk having a large number of vulnerable routers in their infrastructure that can become part of a DDoS bot network. And their customers want to know if the routers in their homes are secure.
Built for this purpose
The Bitdefender IoT Security Platform is designed especially for situations such as these. The result is the same whether it's implemented in a smart router bought directly by the user or it's available through routers provided by ISPs.
With the full technology stack, a router running the Bitdefender IoT Security Platform will, at the very least, notify users which of their devices are vulnerable to CallStranger and recommend that UPnP be turned off. But the technology is much more powerful than just that, offering exploit prevention, DDoS protection, device security, VPN, and many other features.
More importantly, users running a solution like Bitdefender Total Security on their devices can rest easy knowing that their devices are safe. ISPs can rest assured the technology stack is always up to date thanks to its continued access to the Global Protective Network (GPN). With 7 billion queries per day, reflective models and advanced machine learning algorithms to extract malware patterns, the intelligence provided by the database is unparalleled. Bitdefender offers ISPs the possibility to deliver an end-to-end security solution to their users without equipment recall or additional hardware.