The protocol, abbreviated UPnP, lets computers, printers, and other devices make themselves easily discoverable to a network router. But new research by the security firm Rapid7 shows that it could also let hackers easily discover and exploit those routers, too. And the problem is "universal," indeed: A wide-ranging scan of the Internet show that it affects as many as 50 million unique devices.
On Tuesday security researcher Rapid7 released an advisory warning that UPnP allows the remote discovery of between 40 and 50 million UPnP routers, printers, servers and other machines. The company says that software bugs it found in three different implementations of the protocol affect 1,500 vendors and 6,900 different products, including some versions of routers sold by every major vendor, including Cisco's Linksys division, Belkin, D-Link and Netgear. And while some of those bugs would merely allow affected devices to be temporarily disabled, at least 23 million of the devices are susceptible to full takeover by hackers, potentially becoming a jumping-off point for an attack on the victim's network behind any firewall.
"We never expected this much UPnP to be exposed on the Internet," says H.D. Moore, Rapid7's chief security officer. "The scope of the exposure just blew us away."
I've reached out to Cisco, Belkin, D-Link and Netgear for comment, but only heard back from D-Link, who declined to comment for now. I'll update this post when I hear more.
Rapid7's advisory says it's notified the United States Computer Emergency Response Team, and Reuters, which first reported Rapid7's findings, writes that CERT may issue a warning about the vulnerability Tuesday.
Update: CERT has now issued a warning about the issue here, and Cisco has acknowledged the problem as well. It's provided information about the UPnP vulnerability in its Linksys routers here and its non-Linksys equipment here. "Linksys is aware of the industry-wide UPnP library security vulnerability announced by the US CERT on January 29th," a spokesperson writes. "We recommend Linksys customers visit our website to understand if their home router is affected, and learn how to disable UPnP through the user interface to avoid being impacted."
Moore says that network administrators and home users shouldn't wait for a fix. His company has released a scanning tool to find vulnerable UPnP devices, and suggests users disable UPnP on both any endpoint devices that use the protocol on their internal network as well as their Internet router. The final pages of Rapid7's whitepaper includes three spreadsheets of products that are vulnerable to various types of the UPnP attack.
"Given the high level of exposure and potential impact of a successful attack, Rapid7 strongly recommends that UPnP be disabled on all external-facing systems and devices providing a critical function," the company's advisory reads. Given that some home routers don't allow the setting to be turned off, Moore suggests that Internet service providers may in some cases need to replace their users' routers or push an update to their firmware before the issue can be addressed.
UPnP has long been considered a liability by network administrators because of its ability to offer a path through a corporate firewall to devices that use the protocol. The vulnerabilities in the protocol have persisted despite numerous warnings from security researchers and even a warning from the FBI about the protocol's insecurity as early as 2001. But it hasn't been clear until Rapid7's scans, which took nearly six months to complete, just how many devices had the protocol enabled by default, or how many flaws in its code existed in real-world devices.
The most recent reminder of UPnP's insecurity came last week, when a security researcher who goes by the name someLuser found that UPnP-enabled digital video recorders (DVRs) could be discovered and hijacked by hackers to watch or alter surveillance video, or even to use the DVR as an outpost for a further attack on the owner's internal network. Rapid7's Moore followed up on that finding by scanning the Internet and turning up 58,000 of the vulnerable DVRs, associated with 18 brands, that remain publicly exposed. At least two of the companies behind those products say they're investigating the issue.
In discussions about the DVR insecurity Monday, readers on Slashdot voiced their own criticism of UPnP, arguing that any wise user had already disabled the protocol on their router. "Is there really anyone in the world who hasn't turned this monstrous security hole off yet?," asked one commenter.
The answer, based on Rapid7's data, seems to be that there are at least several tens of millions who haven't. Now's their chance.
For the full technical details of Rapid7's UPnP security findings and their implications, read its full whitepaper here.
--
Follow me on Twitter, and check out my new book, This Machine Kills Secrets: How WikiLeakers, Cypherpunks and Hacktivists Aim To Free The World’s Information.
Related:
