UPnP Bug Makes Home Routers Vulnerable
January 29, 2013

Your UPnP Home Router Could Leave You Open To Cyber Attacks

Michael Harper for redOrbit.com — Your Universe Online

There are 2 universal laws that should always be considered when contemplating network security. First, any chain is only as strong as its weakest link. Second, when it comes to convenience and security, you must sacrifice some of one for more of the other.

As an example of these two laws at play, security team Rapid7 has issued a white paper describing how common bugs in the everyday protocols used to make connecting to home networks easier are placing millions of devices at risk.

These millions of IP cameras, media servers, printers, routers and smart TVs use the Universal Plug and Play (UPnP) standard to make it easier to connect to a home network. According to Rapid7, it´s these standards that are littered with bugs, leaving the devices vulnerable to an attack.

Essentially, it´s these weak links in the greater chain of the network -- meant to make connecting them to each other even easier -- that are compromising the security of the entire system.

The security experts at Rapid7 spent the last half of 2012 investigating this standard, measuring its effect on devices across the globe. The results, according to these experts, were “shocking.”

“Over 80 million unique IPs were identified that responded to UPnP discovery requests from the Internet,” writes HD Moore in the Rapid7 Security Street blog.

“Somewhere between 40 and 50 million IPs are vulnerable to at least one of three attacks outlined in this paper. The two most commonly used UPnP software libraries both contained remotely exploitable vulnerabilities.”

This new paper (released today) focuses on the programming flaws within this protocol that are then used to break into the network and execute malicious code. UPnP protocols are meant to be used within a local network, such as the one consumers have in their homes. However, the security experts at Rapid7 were able to discover some 80 million unique IPs when they sent out discovery requests across the Internet.

Additionally, the security team found 17 million of these IP addresses were allowing even more access into these local networks by exposing the UPnP SOAP (or Simple Object Address Protocol) service. By exposing these SOAP services, the security team could have been able to get behind any firewall that may have been set in place and obtain access to any sensitive information that may have been stored on the local network.

Looking at the responses received from these discovery requests, the team was also able to determine specific devices responsible for handing out this information and even discover which UPnP libraries were being used. More than 25 percent of all these responses carried with them UPnP from a library called “Portable UPnP SDK.”

Of these specific UPnPs, eight of them were remotely exploitable, meaning hackers could use them to trigger an attack over the Internet. Two of these protocols could even be used to remotely execute malicious code.

“The vulnerabilities we identified in the Portable UPnP SDK have been fixed as of version 1.6.18 (released today), but it will take a long time before each of the application and device vendors incorporate this patch into their products,” writes Moore in the blog post.

“We strongly suggest that end users, companies, and ISPs take immediate action to identify and disable any Internet-exposed UPnP endpoints in their environments,” concludes Moore, saying that UPnP is often enabled by default on many of these devices, leaving many users vulnerable without their knowledge.