Security Experts:

UPnP Security Holes Expose Millions of Networked Devices to Attacks

Researchers at Rapid7 have uncovered that roughly 40-50 million network-enabled devices are at risk due to vulnerabilities in the Universal Plug and Play (UPnP) protocol.

Universal Plug and Play (UPnP) is a set of networking protocols that allows communication between computers and network-enabled devices. It is enabled by default on millions of devices, from routers to printers to IP cameras and network storage servers. UPnP support is also enabled by default on Microsoft Windows, Mac OS X and many distributions of Linux.

UPnP Security VulnerabilitiesIn a new whitepaper, Rapid7 declares that the UPnP protocol "suffers from a number of basic security problems" ranging from a lack of authentication implemented by device manufacturers to privileged common programming flaws plague common UPnP software implementations. These issues, the report notes, are endemic across UPnP-enabled applications and network devices.

"This paper is the result of a research project spanning the second half of 2012 that measured the global exposure of UPnP-enabled network devices," blogged HD Moore, chief security officer at Rapid7, who authored the report. "The results were shocking to the say the least."

"The two most commonly used UPnP software libraries both contained remotely exploitable vulnerabilities," he continued. "In the case of the Portable UPnP SDK, over 23 million IPs are vulnerable to remote code execution through a single UDP packet. All told, we were able to identify over 6,900 product versions that were vulnerable through UPnP. This list encompasses over 1,500 vendors and only took into account devices that exposed the UPnP SOAP service to the internet, a serious vulnerability in of itself."

As part of the analysis, UPnP discovery requests were sent to every routable IPv4 address approximately once a week from June 1 to November 17, 2012. This identified more than 81 million unique IP addresses that responded to a standard UPnP discovery request. Ultimately, it was determined that roughly 17 million of these systems also exposed the UPnP Simple Object Access Protocol (SOAP) service to the world.  

The report also found that more than 73 percent of all UPnP instances discovered through the Simple Service Discovery Protocol (SSDP) were derived from only four software development kits. These include the Portable SDK for UPnP Devices, Broadcom's MiniUPnP, and another commercial kit the report states could not be tracked to a specific developer. This heavy concentration substantially increases the impact of any vulnerabilities found within these implementations, Moore argues in the report.

In addition, the UPnP instances found to be using the Portable SDK for UPnP Devices and the MiniUPnP library both expose the software library version in the SSDP response, and the company's analysis of these versions showed that the majority of exposed devices are using UPnP libraries that are more than four years old.  

"The vulnerabilities we identified in the Portable UPnP SDK have been fixed as of version 1.6.18 (released today), but it will take a long time before each of the application and device vendors incorporate this patch into their products," Moore blogged. "In most cases, network equipment that is "no longer shipping" will not be updated at all, exposing these users to remote compromise until UPnP is disabled or the product is swapped for something new. The flaws identified in the MiniUPnP software were fixed over two years ago, yet over 330 products are still using older versions."

Moore suggested organizations take immediate action to identify and disable any Internet-exposed UPnP endpoints in their environments. The company has released a free tool called ScanNow UPnP to help organizations identify exposed UPnP endpoints on their networks and flag any that are remotely exploitable through recently discovered vulnerabilities. 

"Based on our experience with users updating software on their PCs, which they use frequently and where they are acquainted with the process of updating the software, it is clear that software isn't updated very frequently," said Thomas Kristensen, chief security officer at Secunia. "The hurdle of having to find the web interface of a device, which most probably never logged onto and finding the update and going through that whole process is likely to intimidate many users. In short...many of these devices are likely to go unpatched till the day they are trashed."

In response to Rapid7’s findings, US-CERT issued an advisory on the issue and said that they attempted to notify more than 200 vendors identified by Rapid7 as running libupnp.