Feeds

UPnP scan shows 50 million network devices open to packet attack

Lock down now to avoid getting Plug and Pwned

Using blade systems to cut costs and sharpen efficiencies

Exploit research has found over 6,900 networked devices from 1,500 manufacturers that are open to attack because of a flawed use of the Universal Plug and Play (UPnP) protocol, and IT managers and home users are being warned to check their networks for three major holes.

"The results were shocking to the say the least. Over 80 million unique IPs were identified that responded to UPnP discovery requests from the internet," said the report's author HD Moore, creator of Metasploit and currently CTO at vulnerability testers Rapid7.

He explained to The Register that the scale of vulnerabilities out there was surprisingly high, and everyone from ISPs, businesses and home users should check their hardware. While the attacks are somewhat complex in nature at the moment, they are likely to be picked up and automated by malware writers in the future.

UPnP support is built into everything from digital cameras to media servers these days, but the research found flaws in both the UPnP discovery protocol (SSDP) and its HTTP and SOAP implementations that can allow attackers to crash hardware and install malicious code on affected devices, given a certain amount of time and processing power.

More worrying, in 17 million instances the researchers found a third flaw in which the UPnP control interface (SOAP) was exposed via XML, which could potentially allow an attacker to set up an open port in a network firewall – although this depends on the access privileges of a target device.

After nearly six months of sending out UPnP discovery requests to IPv4 addresses, the Rapid7 research team got 81 million responses from systems. Between 40 and 50 million of these are vulnerable to one or more of these problems, and in some cases patches are unlikely to be forthcoming.

The researchers coordinated the paper's release with CERT to allow vendors and SDK developers to be pre-warned about the issue. CERT has done excellent work, Moore said, and Belkin and other major vendors are on the job, but of the 1,500 vendors out there, only a few hundred had been in contact – and some were unidentifiable.

"Given the huge range of products that use the protocol, you may as well flip a coin to see if it's vulnerable," he said. "Checking with CERT might help, but your best bet is to test the devices yourself."

In all, 73 per cent of problems occur with products based on four SDKs, the report found. These are Portable SDK for UPnP Devices; MiniUPnP; a third, commercial stack that is likely developed by Broadcom; and another commercial SDK that could not be tracked to a specific developer.

Rapid7 has made a free ScanNow UPnP tool available for Windows users to check for the flaws so that vulnerable equipment can be identified and locked down. Linux and Mac users can get the same tool from Metasploit directly.

IT managers are advised to block inbound traffic on UDP port 1900 and on specific TCP ports as an immediate workaround, and to check for network printers, IP cameras, storage systems, and media servers that might be open inside the network. ISPs should also check to ensure that vulnerable equipment is not being shipped to customers. ®

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.