Feeds

UPnP scan shows 50 million network devices open to packet attack

Lock down now to avoid getting Plug and Pwned

Internet Security Threat Report 2014

Exploit research has found over 6,900 networked devices from 1,500 manufacturers that are open to attack because of a flawed use of the Universal Plug and Play (UPnP) protocol, and IT managers and home users are being warned to check their networks for three major holes.

"The results were shocking to the say the least. Over 80 million unique IPs were identified that responded to UPnP discovery requests from the internet," said the report's author HD Moore, creator of Metasploit and currently CTO at vulnerability testers Rapid7.

He explained to The Register that the scale of vulnerabilities out there was surprisingly high, and everyone from ISPs, businesses and home users should check their hardware. While the attacks are somewhat complex in nature at the moment, they are likely to be picked up and automated by malware writers in the future.

UPnP support is built into everything from digital cameras to media servers these days, but the research found flaws in both the UPnP discovery protocol (SSDP) and its HTTP and SOAP implementations that can allow attackers to crash hardware and install malicious code on affected devices, given a certain amount of time and processing power.

More worrying, in 17 million instances the researchers found a third flaw in which the UPnP control interface (SOAP) was exposed via XML, which could potentially allow an attacker to set up an open port in a network firewall – although this depends on the access privileges of a target device.

After nearly six months of sending out UPnP discovery requests to IPv4 addresses, the Rapid7 research team got 81 million responses from systems. Between 40 and 50 million of these are vulnerable to one or more of these problems, and in some cases patches are unlikely to be forthcoming.

The researchers coordinated the paper's release with CERT to allow vendors and SDK developers to be pre-warned about the issue. CERT has done excellent work, Moore said, and Belkin and other major vendors are on the job, but of the 1,500 vendors out there, only a few hundred had been in contact – and some were unidentifiable.

"Given the huge range of products that use the protocol, you may as well flip a coin to see if it's vulnerable," he said. "Checking with CERT might help, but your best bet is to test the devices yourself."

In all, 73 per cent of problems occur with products based on four SDKs, the report found. These are Portable SDK for UPnP Devices; MiniUPnP; a third, commercial stack that is likely developed by Broadcom; and another commercial SDK that could not be tracked to a specific developer.

Rapid7 has made a free ScanNow UPnP tool available for Windows users to check for the flaws so that vulnerable equipment can be identified and locked down. Linux and Mac users can get the same tool from Metasploit directly.

IT managers are advised to block inbound traffic on UDP port 1900 and on specific TCP ports as an immediate workaround, and to check for network printers, IP cameras, storage systems, and media servers that might be open inside the network. ISPs should also check to ensure that vulnerable equipment is not being shipped to customers. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.