Researchers Find Serious Security Flaws in Universal Plug and Play

Researchers have uncovered three sets of serious security flaws in the protocol for a component that allows computers and other devices to easily connect and communicate on a network.

The flaws were found in Universal Plug and Play (UPnP), a component that is embedded in nearly 7,000 different kinds of devices -- including routers, printers, media players and smart TVs -- to allow them to be easily discovered on a network for quick setup and information sharing.

The flaws would allow hackers to steal passwords and documents or take remote control of webcams, printers, security systems, and other devices that are connected to the internet.

Computer security firm Rapid7, which uncovered the flaws and has published a white paper detailing its findings (.pdf), said that it had found 40 million to 50 million network-enabled devices that were vulnerable to attack.

The researchers noted that although it's currently time-intensive and difficult to exploit the flaws remotely, they expect that exploits and ready-made attack tools will be available soon.

Rapid7 says there are fixes available for the software libraries to fix the vulnerabilities, but each device manufacturer that is affected would have to build updates for each of its products to fix the flaws. Rapid7 and the U.S. government are urging users to disable UPnP or use devices that avoid it entirely.

The security firm has created a tool to help people determine if they're affected.

They discussed their findings in a blog post:

The results were shocking to the say the least. Over 80 million unique IPs were identified that responded to UPnP discovery requests from the internet. Somewhere between 40 and 50 million IPs are vulnerable to at least one of three attacks outlined in this paper. The two most commonly used UPnP software libraries both contained remotely exploitable vulnerabilities. In the case of the Portable UPnP SDK, over 23 million IPs are vulnerable to remote code execution through a single UDP packet. All told, we were able to identify over 6,900 product versions that were vulnerable through UPnP. This list encompasses over 1,500 vendors and only took into account devices that exposed the UPnP SOAP service to the internet, a serious vulnerability in of itself.

The vulnerabilities we identified in the Portable UPnP SDK have been fixed as of version 1.6.18 (released today), but it will take a long time before each of the application and device vendors incorporate this patch into their products. In most cases, network equipment that is "no longer shipping" will not be updated at all, exposing these users to remote compromise until UPnP is disabled or the product is swapped for something new. The flaws identified in the MiniUPnP software were fixed over two years ago, yet over 330 products are still using older versions.

Rapid7 has alerted electronics makers about the problem through the CERT Coordination Center, a group at the Carnegie Mellon Software Engineering Institute, according to Reuters. CERT in turn has tried to contact more than 200 companies identified as having vulnerable devices, including Belkin, D-Link, Cisco Systems Inc's Linksys division and Netgear.

*Homepage photo: Aus36/Flickr *