UPnP flaws turn millions of firewalls into doorstops

UPnP170Last week security researcher HD Moore unveiled his latest paper “Unplug. Don’t Play,” which looked into vulnerabilities in popular Universal Plug and Play (UPnP) implementations.

What is UPnP? Paul Ducklin explained the principles and the reason behind it in his recent article about insecurity in video cameras, but the simple version is this: in my opinion, UPnP is one of the worst ideas ever.

Let’s put it this way: UPnP is a protocol designed to automatically configure networking equipment without user intervention.

Sounds good, right? Until you think about it. UPnP allows things like XBoxes to tell your firewall to punch a hole through so you can play games.

UPnP also allows malware to punch holes in your firewall making access for criminals far easier.

Generally speaking it is a bad idea to implement something that can disable security features without authentication or the knowledge of the person controlling the device.

So we know the dangers of rogue devices/software on the inside exploiting UPnP, now imagine if UPnP managed to listen on the outside.

We don’t have to imagine, as Moore has done the work for us. He discovered over 81 million UPnP devices on the internet, 17 million of which appeared to be remotely configurable.

As if that isn’t bad enough, Moore also discovered ten new vulnerabilities in the two most popular UPnP implementations.

His scans show over 23 million devices vulnerable to a remote code execution flaw.

Vulnerable products include webcams, printers, security cameras, media servers, smart TVs and routers.

router170The last one is what is scariest. Nearly ever vendor you have ever heard of in the home/SOHO business has routers on the list of vulnerable products.

How a router manufacturer could ship a product that lets you configure the firewall without authentication on the outside interface is beyond me.

Many routers do not have an option to disable UPnP and even worse others have an option, but it doesn’t do anything.

If you want to check and see if your router is on the list, Moore linked to lists of the more than 6,900 vulnerable products from 1,500 vendors on the last page of his report.

If your product is affected you should contact the vendor for a fix.

If no fix is available consider replacing the device with one that doesn’t support UPnP or can properly disable it.

Might just be an opportune time to consider upgrading to the free Sophos UTM Home Edition (which doesn’t support UPnP).