Severe security problem detected in all IoT devices
 

CallStranger needs patching

A severe vulnerability in a core protocol found in almost all internet of things (IoT) devices allows and attackers to hijack smart devices for DDoS attacks and bypass security to reach and conduct scans on a victim's internal network .

Dubbed CallStranger, the bug impacts UPnP, which stands for Universal Plug and Play, a collection of protocols that ship on most smart devices.

UPnP feature allows devices to see each other on local networks, and then establish connections to easily exchange data, configurations, and even work in sync.

UPnP has been around since the early 2000s, but since 2016, its development has been managed by the Open Connectivity Foundation (OCF), which controls what makes it in the UPnP protocols, in an effort to standardise how these features work across devices.

Security engineer named Yunus Çadirci found a bug in this extremely widespread technology which means that an attacker can send TCP packets to a remote device that contains a malformed callback header value in UPnP's SUBSCRIBE function.

This malformed header can be abused to take advantage of any smart device that was left connected on the internet, and which supports the UPnP protocols -- such as security cameras, DVRs, printers, routers, and others.
https://fudzilla.com/news/iot/50966-...ll-iot-devices