Security Bits Logo no alpha channel

Security Bits — 14 June 2020

Feedback & Followups

Deep Dive — The CallStranger UPnP Vulnerability

A security researcher has released details of a new vulnerability in the Universal Plug & Play (UPnP) specification that allows attackers to commandeer vulnerable devices for use in distributed denial of service attacks (DDoS).

For home users the big danger is routers with UPnP enabled on the internet-facing (WAN) side of the router. This won’t allow attackers to attack you, but it will allow them to use your router to attack others.

If you don’t need it, I would suggest disabling UPnP on your router. This is by no means the only UPnP attack out there, so disabling UPnP has been my advice for years anyway!

The problem was in the UPnP specification, so that has been updated, and device vendors now need to create and distribute firmware updates to update their implementation of the spec.


❗ Action Alerts

Worthy Warnings

Notable News

Top Tips

Excellent Explainers

Palate Cleansers


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top