UPnP scan shows 50 million network devices open to packet attack
Lock down now to avoid getting Plug and Pwned
Exploit research has found over 6,900 networked devices from 1,500 manufacturers that are open to attack because of a flawed use of the Universal Plug and Play (UPnP) protocol, and IT managers and home users are being warned to check their networks for three major holes.
"The results were shocking to the say the least. Over 80 million unique IPs were identified that responded to UPnP discovery requests from the internet," said the report's author HD Moore, creator of Metasploit and currently CTO at vulnerability testers Rapid7.
He explained to The Register that the scale of vulnerabilities out there was surprisingly high, and everyone from ISPs, businesses and home users should check their hardware. While the attacks are somewhat complex in nature at the moment, they are likely to be picked up and automated by malware writers in the future.
UPnP support is built into everything from digital cameras to media servers these days, but the research found flaws in both the UPnP discovery protocol (SSDP) and its HTTP and SOAP implementations that can allow attackers to crash hardware and install malicious code on affected devices, given a certain amount of time and processing power.
More worrying, in 17 million instances the researchers found a third flaw in which the UPnP control interface (SOAP) was exposed via XML, which could potentially allow an attacker to set up an open port in a network firewall – although this depends on the access privileges of a target device.
After nearly six months of sending out UPnP discovery requests to IPv4 addresses, the Rapid7 research team got 81 million responses from systems. Between 40 and 50 million of these are vulnerable to one or more of these problems, and in some cases patches are unlikely to be forthcoming.
The researchers coordinated the paper's release with CERT to allow vendors and SDK developers to be pre-warned about the issue. CERT has done excellent work, Moore said, and Belkin and other major vendors are on the job, but of the 1,500 vendors out there, only a few hundred had been in contact – and some were unidentifiable.
"Given the huge range of products that use the protocol, you may as well flip a coin to see if it's vulnerable," he said. "Checking with CERT might help, but your best bet is to test the devices yourself."
In all, 73 per cent of problems occur with products based on four SDKs, the report found. These are Portable SDK for UPnP Devices; MiniUPnP; a third, commercial stack that is likely developed by Broadcom; and another commercial SDK that could not be tracked to a specific developer.
Rapid7 has made a free ScanNow UPnP tool available for Windows users to check for the flaws so that vulnerable equipment can be identified and locked down. Linux and Mac users can get the same tool from Metasploit directly.
IT managers are advised to block inbound traffic on UDP port 1900 and on specific TCP ports as an immediate workaround, and to check for network printers, IP cameras, storage systems, and media servers that might be open inside the network. ISPs should also check to ensure that vulnerable equipment is not being shipped to customers. ®