Feeds

UPnP scan shows 50 million network devices open to packet attack

Lock down now to avoid getting Plug and Pwned

Internet Security Threat Report 2014

Exploit research has found over 6,900 networked devices from 1,500 manufacturers that are open to attack because of a flawed use of the Universal Plug and Play (UPnP) protocol, and IT managers and home users are being warned to check their networks for three major holes.

"The results were shocking to the say the least. Over 80 million unique IPs were identified that responded to UPnP discovery requests from the internet," said the report's author HD Moore, creator of Metasploit and currently CTO at vulnerability testers Rapid7.

He explained to The Register that the scale of vulnerabilities out there was surprisingly high, and everyone from ISPs, businesses and home users should check their hardware. While the attacks are somewhat complex in nature at the moment, they are likely to be picked up and automated by malware writers in the future.

UPnP support is built into everything from digital cameras to media servers these days, but the research found flaws in both the UPnP discovery protocol (SSDP) and its HTTP and SOAP implementations that can allow attackers to crash hardware and install malicious code on affected devices, given a certain amount of time and processing power.

More worrying, in 17 million instances the researchers found a third flaw in which the UPnP control interface (SOAP) was exposed via XML, which could potentially allow an attacker to set up an open port in a network firewall – although this depends on the access privileges of a target device.

After nearly six months of sending out UPnP discovery requests to IPv4 addresses, the Rapid7 research team got 81 million responses from systems. Between 40 and 50 million of these are vulnerable to one or more of these problems, and in some cases patches are unlikely to be forthcoming.

The researchers coordinated the paper's release with CERT to allow vendors and SDK developers to be pre-warned about the issue. CERT has done excellent work, Moore said, and Belkin and other major vendors are on the job, but of the 1,500 vendors out there, only a few hundred had been in contact – and some were unidentifiable.

"Given the huge range of products that use the protocol, you may as well flip a coin to see if it's vulnerable," he said. "Checking with CERT might help, but your best bet is to test the devices yourself."

In all, 73 per cent of problems occur with products based on four SDKs, the report found. These are Portable SDK for UPnP Devices; MiniUPnP; a third, commercial stack that is likely developed by Broadcom; and another commercial SDK that could not be tracked to a specific developer.

Rapid7 has made a free ScanNow UPnP tool available for Windows users to check for the flaws so that vulnerable equipment can be identified and locked down. Linux and Mac users can get the same tool from Metasploit directly.

IT managers are advised to block inbound traffic on UDP port 1900 and on specific TCP ports as an immediate workaround, and to check for network printers, IP cameras, storage systems, and media servers that might be open inside the network. ISPs should also check to ensure that vulnerable equipment is not being shipped to customers. ®

Intelligent flash storage arrays

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals
By writing a really angry letter about how it's harming our cloud business, ta
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Business security measures using SSL
Examines the major types of threats to information security that businesses face today and the techniques for mitigating those threats.