UPnP flaws expose 50 million devices to attack, researchers find

Home users urged to disable protocol on routers

Millions of consumer devices using the ubiquitous Universal Plug and Play (UPnP) protocol, including routers, printers, media servers and webcams, are vulnerable to a cocktail of dangerous security vulnerabilities, pen-testing outfit Rapid7 has discovered.

UPnP's security raggedness is not exactly news but the scale of the problems discovered by Rapid7 in a five-month research exercise between June and November 2012 should still be a wakeup call.

Designed for use inside home networks to allow easy discovery and communication between devices, the company was still able to find 81 million external IP addresses that responded to UPnP SSDP probes, 17 million of which also exposed communication via Simple Object Access Protocol (SOAP) that can allow web access behind a firewall.

The researchers were able to identify 6,900 product versions from 1,500 vendors that were vulnerable to at least one flaw, equivalent to possibly as many as 50 million vulnerable IPs.

All told, 23.6 million were open to up to eight remote code execution vulnerabilities connected to the Portable UPnP SDK (now the open source libupnp SDK), developed as far back as 2001 by Intel, including to one flaw discovered by Rapid7 during its research.

"For the reasons outlined above, we strongly suggest that end users, companies, and ISPs take immediate action to identify and disable any internet-exposed UPnP endpoints in their environments," said Rapid7's HD Moore.

"UPnP is pervasive - it is enabled by default on many home gateways, nearly all network printers, and devices ranging from IP cameras to network storage servers."

The SDKs could lie at the heart of the problem; only four of them, including Intel's, accounted for 73 percent of the UPnP systems the firm was able to discover, a risky lack of diversity.

What Rapid7 and Moore have uncovered is a bit of a software mess; millions of devices exposed to attackers, and a large number of those vulnerable to known flaws that will likely never be fixed.

The problem is simply that devices have a short shelf life before they become obsolete; many are simply never updated.

Where updates were impossible "If the UPnP service cannot be disabled and the vendor does not have an update, it may be prudent to segment the device from the rest of the network," recommended Moore.

Home users should make sure that UPnP was disabled on home and mobile broadband routers.

Windows users could download the free and simple ScanNow tool to check for vulnerable endpoints, he said, while Mac and Linux users could try the more complicated MetaSploit.

As to which products are affected, three lists have been published, starting with products affected by the UPnP SOAP issue, the Intel Portable UPnP (Intel) SDK flaws, and a third SDK with problems, the MiniUPnP.

Tags: Personal Tech, security, Rapid7

German researchers hack Galaxy S5 fingerprint login

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Authentication

RSA offers a wide range of strong two-factor authentication solutions to help organizations assure user identities and meet compliance requirements.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.