Device makers blamed for consumer risk from UPnP flaws

Manufacturers are being blamed for the security risks customers face from major flaws in the implementation of the UPnP standard that leaves tens of millions of network-enabled devices open to cyberattacks.

Security vendor Rapid7, which released a white paper on the vulnerabilities on Tuesday, says manufacturers do a miserable job at releasing timely firmware updates to fix security problems. Manufacturers whose products are affected by the UPnP vulnerabilities include Cisco-owned Linksys, Netgear, Belkin and D-Link.

"You have to keep in mind their business model. These are companies that make their money by every six months based on shipping their next round of devices," said HD Moore, chief security officer for Rapid7. "After two or three years from the first time they launched the device, it's really not worth the time or effort to maintain firmware updates for it."

Netgear declined to comment, while Belkin and D-Link did not respond to emails. Linksys said it was aware of the problem and advised customers to go to its website to find out whether their home router was affected and to learn hot to disable UPnP.

UPnP is a set of networking protocols that permits many consumer electronics to discover each other on a network. At that point, the devices can establish network services for data sharing, communication, media streaming and media playback control.

The protocols are designed for use in closed home networks. However, a misconfiguration of the UPnP protocol exposed many wireless routers, printers, media servers, IP cameras and smart TVs to cyberattacks, Rapid7 said.

A scan of the Internet from June to November last year found more than 80 million devices that responded to UPnP discovery requests, Rapid7 said. Tens of millions of the devices were susceptible to cyberattack as a result of any one of several vulnerabilities.

[In depth: Seven dealy sins of home office security]

In general, device manufacturers change hardware in products whenever they find cheaper components. At the same time, they only support product configurations that they are currently shipping, Moore said. As a result, products seldom get maintenance support for longer than one or two years, leaving it up to users to search for firmware updates, if they are even available.

"For the most part, once the device has been out there for a year or two, the vendor stops maintaining it, with some exception for devices that are more popular than others," Moore said. "I was talking to a vendor yesterday that said, 'If we're not shipping it; we're not supporting it.'"

The UPnP problem affects primarily consumers and small businesses, which are the primary buyers of the products. One way to prevent exposure to attackers is to find the configuration tools that ship with the device and manually disable UPnP.

A more comprehensive solution would be to have Internet service providers block the port used by UPnP to discover devices over the Internet. However, ISPs are unlikely to take such a step without pressure from customers.

On Tuesday, the U.S. Computer Emergency Readiness Team, part of the Department of Homeland Security, advised consumers and businesses to disable UPnP.

Device manufacturers have been criticized before for failing to quickly patch vulnerabilities. Makers of Android tablets and smartphones are notoriously slow at distributing updates of the Google mobile platform. As a result, Android has become a primary target for mobile malware.

Read more about network security in CSOonline's Network Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags LinksysapplicationssecurityRapid7netgearUPnPbelkinsoftwareData Protection | Network SecurityD-Linkdata protection

More about Belkin AustraliaCiscoD-Link AustraliaGoogleLinksysNetgear AustraliaRapid7

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place