CallStranger vulnerability grants hackers unprecedented network control

Universal Plug and Play devices are exposed

Set of modern port adapters on black surface

A major bug and security flaw in Internet-facing UPnP devices was discovered in December 2019, which allows third parties to compromise the device and force them to participate in DDoS attacks. This bug is referred to as the “CallStranger” vulnerability and presents a serious issue as it affects billions of devices across the globe.

The bug was originally discovered by security engineer Yunus Çadirci. According to him, attackers send TCP packets to a targeted remote device. The packets contain deformed callback headers in UPnP’s SUBSCRIBE function, which ultimately leads to the device’s hijacking.

Furthermore, not only can hackers distribute DDoS attacks from a compromised device, they also can scan other devices on the network to potentially steal credentials and information.

A widespread bug

This is a critical issue, primarily because devices have “Universal Plug and Play” as a core aspect of their design. It means, until the bug is fixed, any device working with this functionality is vulnerable.

This is because of UPnP’s core functionality. UPnP for over a decade allows devices to connect to each other easily to quickly exchange data and information. Users can also sync settings and utilize it to work on projects in real-time. It’s seen use since the early 2000’s, and thus far has seen widespread use.

To standardize how it works and how features are used, the Open Connectivity Foundation took over its development in 2016.

Breaking down CallStranger

The CallStranger bug has its own website which breaks down the various details of how it happens and what can happen. It’s also referred to as CVE-2020-12695.

The website immediately warns that the CallStranger bug can affect devices even with proper border/data loss prevention protections in place. As mentioned, once compromised a network can be used for a DDoS attack.

According to the website, millions of devices are exposed and potentially in danger. This is because it is a protocol vulnerability, a core aspect of UPnP’s functionality. Because of the deeply routed function, patching is expected to take a while before a fix is fully released to all vulnerable devices. 

Protecting your data

Until the patch is fully released and all Internet-facing UPnP devices are accounted for, users should go by these guidelines to shield their networks.

For Home/Remote Workers

Experts don’t expect home users to be the target of these attacks. However, they recommend contacting your ISP if they have UPnP internet-facing devices. It’s not recommended to use port forwarding either.


Internet service providers have a wider range of things to check. Initially, they should check all DSL/cable routers’ UPnP stacks. Afterward, they should request their hardware vendors to update for any vulnerable SUBSCRIBE functions.

Device Vendors

The website recommends updating all internet-facing UPnP device stacks with the appropriate patch to remove the vulnerability. 


Enterprises should take appropriate actions, though it varies based on the size and scope. Some recommendations are closing UPnP connections on devices if they’re not used for work. Others include checking logs for devices used with this vulnerability and configuring for DDoS protection.

Other options

Obviously, this realization is overwhelming for many. If you’re struggling to seek out these vulnerabilities, you can also enlist an MSP like Bytagig to help.

Need more information? Contact us today to learn what we can do for you.

Share this post: