CallStranger UPnP flaw puts billions of Devices at Risk

"Call Stranger" flaw in UPnP allows attackers to launch DDoS attacks and scan internal ports, security researcher says. Billions of network-connected devices, such as printers, routers, smart TVs, and video game consoles, are open to attack via security vulnerability in a protocol that allows the devices to communicate with each other.


Nearly 5.5 million of the vulnerable devices are currently publicly accessible over the Internet and can be used to launch denial-of-service (DoS) attacks against targeted systems or enable data theft.



The vulnerability — called CallStranger (CVE-2020-12695) — enables attackers to use a vulnerable Internet-connected device to bypass security mechanisms and scan internal ports for other similarly vulnerable devices on enterprises' local area networks.

"The [vulnerability] permits an attacker to send large amounts of data to arbitrary destinations accessible over the Internet, which could lead to a Distributed Denial of Service (DDoS), data exfiltration, and other unexpected network behavior.”

A security researcher discovered the flaw last December and reported it to the Open Connectivity Foundation (OCF), the group that manages the Universal Plug and Play (UPnP) protocol in which the bug exists. The problem, specifically, is associated with an UPnP function called SUBSCRIBE that allows devices to monitor the status of other network-connected UPnP services and devices. Attackers can take control of the function via specifically crafted SUBSCRIBE requests over HTTP.

OCF updated the UPnP protocol specification on April 17 to address the issue and has notified vendors and ISPs about the need to upgrade to the new specification. However, because the flaw lies at the protocol level, it could take a long time before all vendors address the issue.

The researcher posted a detailed technical description of the vulnerability and proof-of-concept code to exploit it on GitHub. He listed devices from over 20 vendors, including Microsoft, Cisco, Canon, HP, and Philips, as confirmed as being affected. The status of products from dozens of other vendors remains currently unknown; though it is more than likely they are impacted as well. A wide range of plug-in-play products is impacted, including Xbox gaming consoles, printers, routers, switches, and cameras.

"The CallStranger vulnerability exists because the 'Callback' header value in the UPnP SUBSCRIBE function is not checked,”. "To exploit the flaw, an attacker could stuff their request with a large volume of target URLs across multiple vulnerable devices, overwhelming their target's resources [and] resulting in a denial of service,”

How attackers exploit the vulnerability?

"If a single device on a network has a vulnerable version of UPnP connected to the Internet, an attacker could use the flaw to perform a port scan of the internal network for potentially vulnerable devices,”.

The problem with UPnP is that it is designed from the ground up, without any regard for security. In most cases, devices running the protocol implicitly trust requests from other devices on the local network without any prior authentication.

The CallStranger vulnerability gives attackers a way to launch DDoS attacks and steal data. "When talking about stealing data with UPnP, it absolutely depends on the device. Connected media devices, for example, often reveal unique identifiers. Similarly, printers may allow monitoring of print status, and routers may give detailed information about the names and addresses of devices on the network.

"In general, though, all of these problems exist independent of CallStranger through web browser-based attacks,” "If you load a web page while connected to the same network as UPnP-enabled devices, that web page can, in most cases, start accessing the UPnP devices."

PoC Code Released:
With PoC code now available, an attacker could easily scan for and collect a list of vulnerable devices that are publicly accessible. They could then modify or create their own script to launch a DDoS attack against a target of their choosing using the vulnerable devices they've identified.


It is recommended to consider the following best practices:


  1. Disable UPnP on all Internet-accessible interfaces.
  2. It also advised device manufacturers to disable the SUBSCRIBE capability in their default configurations, so users would need to explicitly enable the feature with restrictions to limit usage within a trusted LAN.
  3. Vendors are advised to implement the updated specifications provided by the OCF.
  4. Users should keep an eye on vendor support channels for updates implementing the new SUBSCRIBE specification.