Aaron Forbes

The UPnP security exploit affecting millions of home devices

UPnP security exploit

You might have heard the term “plug and play” before. In general, the term encompasses a device that can be used without user configuration, allowing for a smooth and easy setup and continuous usage throughout the device’s lifetime. Although this might sound nice at first, the Universal Plug and Play or UPnP protocol has seen enough controversy throughout its lifespan and has been affected by malware that can affect an entire home network.

What exactly is UPnP?

UPnP stands for Universal Plug and Play and was originally created for home and small-business networks to ease the configuration of new devices to the network. Virtually every device from smart TVs like Roku and Apple TV, remote home surveillance, home assistants like Google Home and Amazon Alexa, IoT devices such as thermostats and locks, gaming consoles, printers, speakers, and many more utilize UPnP.

UPnP allows devices on the network to detect the presence of other devices. Without it, it’s still possible to share the devices between things on the network. This protocol primarily eases the discovery of devices on the network and is no longer required for that local discovery.

More modern protocols are usually supported for doing this auto-discovery on networks such as mDNS, Avahi, and Bonjour. The primary purpose of the UPnP protocol is to poke holes in a router's firewall to allow other machines to talk to the system behind a NAT-configured router.

UPnP is easily exploitable

UPnP also allows for unsolicited traffic between devices without any form of authentication or verification, and that’s what leaves them open for exploitation. When it was originally created, UPnP was made to work at the LAN level. That meant each device on the home network would be able to connect to each other, not just the router.

Most routers are shipped with UPnP enabled by default with good intentions of making it easier on the user; UPnP is on the router to facilitate automatically opening ports to the outside world to allow direct connections between things, such as two Xboxes so they can play games together without a third-party server. But enabling UPnP for this functionality can also lead to big security problems.

Because UPnP doesn't need authorization or authentication in most cases, an enabled router will automatically assume that all devices attempting to make a connection are safe. This is not always the case. This functionality could theoretically allow a hacker into your network with ease and allow them remote access to other devices on the network, proxy their traffic with your router, utilize your network in DDoS attacks, and much more.

A UPnP capability called SUBSCRIBE allows for substantial amounts of data to be processed by these devices, leading to a Distributed Denial of Service (DDoS) attack. The large-scale vulnerability has been given the entry number of CVE-2020-12695, now named CallStranger.

The DDoS attack that CallStranger causes is performed by convincing devices to send status updates and periodic capability announcements to third parties. This quickly adds up with the sheer number of devices causing a DDoS of a remote targeted service, but the devices themselves will be largely unaffected.

Detecting the CallStranger exploit is tricky because of this, so Minim picks up on the excessive activity it causes, rather than the malware itself. According to Sam Stelfox, a Software Engineer at Minim, users would be able to tell if they’re affected by CallStranger by a network slowdown: “It could also potentially be chained with other vulnerabilities on a device to do even more damage.”

CallStranger: a UPnP exploit

CallStranger exploits a security flaw in the Universal Plug and Play network protocol and was first reported on by Yunus Çadırcı, the Cyber Security Senior Manager at EY Turkey. The vulnerability can be used to:

  • Bypass DLP and network security devices to steal data
  • Utilize millions of Internet-facing UPnP-enabled devices as a source of amplified reflected TCP DDoS
  • Scanning internal ports from Internet-facing UPnP devices

Çadırcı speculates that it may take a long time for vendors to provide the necessary patches to prevent the malware from exploiting the protocol because it’s an issue with the protocol itself, rather than a platform or software-specific issue. However, the good news for the technically advanced is that he’s developed a script to check for the malware.

If UPnP is so easily exploited, why are we still using it?

Some of Minim’s customers still use the UPnP protocol simply because it’s unavoidable, according to Stelfox.

“Many multiplayer games and gaming systems require UPnP to allow them to connect to each other directly,” he says. “Triple-A game titles and games that have dedicated servers generally do not, but even those have exceptions as direct peer-to-peer interactions like this are significantly easier to manage and maintain than central services.”

Stelfox says that users who turn off UPnP services won’t notice a difference in performance, but that they more than likely will notice if they play a wide variety of multiplayer games. Some gaming platforms still require UPnP in order to function properly.

Protecting your network

Although Minim generally discourages enabling UPnP functionality on our routers, it’s ultimately up to the manufacturer, ISP, and then the end-user.

“Ultimately, I’d say the risks for this particular vulnerability are to ISP networks—consuming excessive bandwidth—and internet services—being sent all the junk traffic to try and take them down—not to normal end-users,” says Stelfox.

Çadırcı agrees, writing: “Home users are not expected to be targeted directly. If their internet-facing devices have UPnP endpoints, their devices may be used as DDoS sources. Ask your ISP if your router has internet-facing UPnP [endpoints] with the CallStranger vulnerability—there are millions of consumer devices exposed to the Internet.”

Although this seems relieving, it’s still important to secure your home network from the UPnP flaw. There are two options for doing this: the first is to simply disable UPnP altogether. Most routers are able to be changed by accessing the settings menu. This option might not be reasonable for some users however, as explained earlier.

The second option is to enable UPnP-UP or Universal Plug and Play – User Profile. This requires your UPnP-enabled router to require authorization and authentication mechanisms for all devices on the network. The downside to this option is that not all routers or devices support this method yet.

If neither of these solutions fit your needs, it might be unavoidable to leave the UPnP protocol active on your router. If you see a drastic change in the traffic usage of your network (which can be seen in the Minim mobile app), you may have a problem. If you aren’t a Minim user, you can check your router’s logs and use a site such as F-Secure’s router checker to find out if your router has been hijacked.

Interested in learning more about Minim?

Get in touch