Universal Plug And Play Flaw Impacts Millions of Devices

By Robert Westervelt
January 31, 2013 10:00 AM ET

A protocol standard designed to make it easy to integrate routers, printers, IP cameras and millions of other network-enabled devices contains a number of weaknesses that can expose networks to attack.

The United States Computer Emergency Readiness Team (US-CERT) is warning about weaknesses in the Universal Plug and Play protocol, following a research paper issued by Rapid7 that identified protocol vulnerabilities and configuration errors. Rapid7 found that of 81 million UPnP-enabled devices exposed to the Internet, about 20 percent -- or more than 16 million devices -- allow an attacker to target systems behind the firewall.

HD Moore, the creator of the Metasploit penetration tool and chief security officer of Rapid7, found the errors during a laborious project that included nearly six months of actively scanning the Internet.

"Authentication is rarely implemented by device manufacturers, privileged capabilities are often exposed to untrusted networks, and common programming flaws plague common UPnP software implementations," Moore wrote in a paper outlining the UPnP problems. "These issues are endemic across UPnP-enabled applications and network devices."

The issue impacts more than 1,500 vendors and 6,900 products, according to the report. UPnP support is enabled by default on Windows, Mac and many distributions of Linux. Up to 30 UPnP-enabled device makers, including Cisco Systems, Fujitsu, Huawei, Motorola and Sony, have issued updates this week to repair the errors.

Organizations should replace systems that do not provide the ability to disable this protocol, Moore said in the report. Consumers should also take action, ensuring that the UPnP function is disabled on home routers and mobile broadband devices. "Unfortunately, the realities of the consumer electronics industry will leave most systems vulnerable for the indefinite future," he said.

Numerous vulnerabilities in the UPnP protocol have been discovered by security researchers over the past decade and have been the subject of presentations at Defcon and Black Hat hacker conferences.

PUBLISHED JAN. 31, 2013

To continue reading this article, please download the free CRN Tech News app for your iPad or Windows 8 device.

Related: Videos | Slide Shows | Comments

SHARE THIS ARTICLE

More Security

Comments by Vanilla

Recent Articles

	10 Emerging Security Technologies Gaining Interest, Adoption Despite some security defenses being only in their infancy, they are attracting interest for addressing BYOD issues, cloud security concerns and stolen account credentials. Here's a look at some of the top new security areas gaining industry interest.
	5 Government Intelligence Facilities You've Never Heard Of One facility has been around since the dawn of space exploration, while other buildings are still in construction. But, they all have serious data analysis and surveillance support activities associated with them.
	Data Breach Costs: 10 Ways You're Making It Worse A little planning and avoiding these 10 costly missteps can help mitigate the impact of a data security breach, according to the Ponemon Institute's latest research.
	More Slide Shows