Later this week, it was publicly advanced the discovery of a security flaw in the UPnP protocol.
This poses a threat to millions of connected devices around the world. The vulnerability was discovered by a computer security specialist named Yunus Adirci. It allows anyone who can exploit it to steal users' personal information, to be able to scan internal networks, which will easily initiate denial-of-service (DDoS) attackers.
This article will also interest you: Private companies facing vulnerabilities of connected objects
The discovery of the security flaw was announced publicly by Yunus 'adirci, the researcher responsible for the discovery, on Wednesday 2020, that is, yesterday. The researcher called the security flaw critical.
The vulnerability affects the UPnP (Universal Plug -Play) protocol. A protocol that was developed to allow connected objects to be able to interact easily with each other, when they are connected to the same network. The problem with this protocol is that does not allow authentication mechanism or identity checks. This is because it was designed to operate on a local network. This small security issue (but not negligible at all) has always forced several manufacturers wishing to include it in their connected objects such as TVs, game consoles, routers, prints and many others, to disable the default protocol. The latitude is therefore left to the user to be able to use it, activating it itself (at its peril). However, the researcher behind the Discovery Yunus Adirci means that the vulnerability (which has meanwhile been called "Callstranger"), "is precisely in the Subscribe function of the protocol. This vulnerability can have multiple consequences. It allows a hacker to scan internal networks from a vulnerable device and then exfiltrate data. Alternatively, the hacker can use CallStranger to enlist a vulnerable device in a botnet to launch DDoS attacks. ».
The good news is that a security fix is now available. It was developed by Open Connectivity Foundation in abbreviated OCF. It should also be noted that the Open Connectivity Foundation is a foundation, which aims to promote Inter connectivity between computer tools. It is also the UPnP protocol under its responsibility. Therefore, it is responsible for the development of the improvement of the said protocol. The security update to plug the security breach is available for download on its official website.
In addition, the security flaw affects 5.4 million connected devices in use worldwide. Examples include all computers that work with Windows 10 as an operating system, Xbox One game consoles, Samsung connected TVs, Huawei, Cisco or D-Link routers and modems, and HP, Canon and Epson printers.
The Open Connectivity Foundation and security specialist Yunus Adirci have indicated to the manufacturers of connected objects the need, at least for the time being, to "disable the Subscribe feature of the UPnP protocol in the default configuration." And because the vulnerability is particularly affecting a protocol, it would take a very long time for potential security patches to be deployed by manufacturers. In any case, Yunus Adirci stressed: "You don't expect home users to be directly targeted. If their connected objects have UPnP devices, it is still possible that their devices could be used as a source of a DDoS attack."
Note that security vulnerabilities discovered on connected objects generally attract less attention than those discovered on smartphones or computers. Yet the danger remains the same. The user is therefore exposed as well as all of his data. As mentioned above, updates always take longer to deploy. In the end, some vulnerabilities will never be fixed. At great risk to those who will be exposed. This is why it is recommended users of connected objects to always choose their tools from the manufacturer that make security updates one of their priorities.
Now access an unlimited number of passwords: