Billions of smart home devices are vulnerable to cyberattacks due to a serious vulnerability discovered in a network protocol.

The CallStranger vulnerability allows hackers to steal user data from many Internet of Things (IoT) devices, scan networks, and launch distributed denial of service (DDoS) attacks.

Device models identified as vulnerable include the Xbox One, several Samsung smart TVs, several Canon, Epson, and HP printers, and routers and modems from Broadcom, D-Link, and Huawei. The researchers who discovered the flaw also believe that all current builds of Windows 10 may be vulnerable.

More than a dozen other device vulnerabilities are awaiting confirmation.

The bug, discovered by security expert Yunus Çadırcı, affects a networking protocol called Universal Plug and Play (UPnP).

According to a dedicated website about CallStranger, the vulnerability "allows an attacker to control the Callback header value of the UPnP SUBSCRIBE function, causing SSRF-like vulnerabilities that affect millions of Internet-facing devices and billions of LAN devices are affected."

Websites have seen hackers take advantage of this bug to bypass data loss prevention and network security devices to exfiltrate data, or to use millions of Internet-facing UPnP devices to launch amplified, reflective DDoS attacks, how to scan internal network ports from Internet-facing UPnP devices.

The first scenario would primarily affect enterprise networks and other corporate deployments, while the other two would hit the consumer level.

If a smart home device is hacked to launch a DDoS attack, bandwidth is compromised and the device could possibly be exposed to other attacks.

Because the UPnP vulnerability affects Windows devices, Xboxes, and most TVs and routers, Çadırcı estimates that the vulnerability could affect billions of devices.

He further explained that since the CallStranger vulnerability can be exploited for DDoS attacks, botnets could begin implementing this new technique by targeting consumer devices.

"Due to the latest UPnP vulnerability, companies are blocking UPnP devices exposed to the Internet, so port scanning from the Internet to intranets is not expected, but intranet2intranet could be a problem," Çadırcı Mr. Chadırcı wrote.

Since Chadırcı reported CallStranger last year to the Open Connectivity Foundation, which manages the UPnP protocol, the foundation has released updates to UPnP.

However, he added, "Since this is a protocol vulnerability, it may take a long time for vendors to provide patches."

If you are somewhat tech-savvy, he has posted a Python script on GitHub that you can use to scan your local network for vulnerable devices.

But the first thing you should do is go into the administrative settings of your home Wi-Fi router, find UPnP, and disable it. Any decent router should be able to turn off UPnP.

If you rent a router from an Internet service provider, such as your cable company or local phone company, call their helpline and ask how to disable UPnP on your router.