UPnP flaws expose 50 million devices to attack, researchers find

Home users urged to disable protocol on routers

Millions of consumer devices using the ubiquitous Universal Plug and Play (UPnP) protocol, including routers, printers, media servers and webcams, are vulnerable to a cocktail of dangerous security vulnerabilities, pen-testing outfit Rapid7 has discovered.

UPnP's security raggedness is not exactly news but the scale of the problems discovered by Rapid7 in a five-month research exercise between June and November 2012 should still be a wakeup call.

Designed for use inside home networks to allow easy discovery and communication between devices, the company was still able to find 81 million external IP addresses that responded to UPnP SSDP probes, 17 million of which also exposed communication via Simple Object Access Protocol (SOAP) that can allow web access behind a firewall.

The researchers were able to identify 6,900 product versions from 1,500 vendors that were vulnerable to at least one flaw, equivalent to possibly as many as 50 million vulnerable IPs.

All told, 23.6 million were open to up to eight remote code execution vulnerabilities connected to the Portable UPnP SDK (now the open source libupnp SDK), developed as far back as 2001 by Intel, including to one flaw discovered by Rapid7 during its research.

"For the reasons outlined above, we strongly suggest that end users, companies, and ISPs take immediate action to identify and disable any internet-exposed UPnP endpoints in their environments," said Rapid7's HD Moore.

"UPnP is pervasive - it is enabled by default on many home gateways, nearly all network printers, and devices ranging from IP cameras to network storage servers."

The SDKs could lie at the heart of the problem; only four of them, including Intel's, accounted for 73 percent of the UPnP systems the firm was able to discover, a risky lack of diversity.

What Rapid7 and Moore have uncovered is a bit of a software mess; millions of devices exposed to attackers, and a large number of those vulnerable to known flaws that will likely never be fixed.

The problem is simply that devices have a short shelf life before they become obsolete; many are simply never updated.

Where updates were impossible "If the UPnP service cannot be disabled and the vendor does not have an update, it may be prudent to segment the device from the rest of the network," recommended Moore.

Home users should make sure that UPnP was disabled on home and mobile broadband routers.

Windows users could download the free and simple ScanNow tool to check for vulnerable endpoints, he said, while Mac and Linux users could try the more complicated MetaSploit.

As to which products are affected, three lists have been published, starting with products affected by the UPnP SOAP issue, the Intel Portable UPnP (Intel) SDK flaws, and a third SDK with problems, the MiniUPnP.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal TechRapid7security

More about IntelLinuxRapid7

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place