Security researchers at Rapid7 have discovered a major flaw in 6,900 routers affecting 81 million users. Networking hardware from more than 1,500 vendors are believed to contain the vulnerability. Universal Plug and Play allows end users to easily connect new devices and communicate with the rest of their network. This technology was only designed to run on the network internally.
Over the years companies have begun to use UPnP externally. Some devices and software like gaming consoles and bit-torrent clients use this to communicate with online services. The benefit to users is a simplified setup, as most aren’t capable or interested in configuring the required port forwarding in the router.
The Rapid7 whitepaper was release yesterday, after raising the issue with hardware and networking vendors, they were ignored. With the information now public, hackers around the globe will now have the information required to create attacks based on the flaw.
Below is the very alarming executive summary from Rapid7, but you can read the whole Whitepaper over at https://community.rapid7.com/docs/DOC-2150. If you’re looking for a solution right now, your options are very limited. Most router configurations do not present UPnP as an option for users to disable, essentially this authentication-less method of connectivity was never designed to used externally.
To protect yourself, you should disable UPnP all together right now. While you will loose that functionality across your LAN, you will be protected from the security flaw at the WAN level. Because the specific UPnP packets travel inbound over a specific port, ISPs across the globe could and should block that port.
Rapid7 have provided an info graphic to demonstrate just how severe this issue is.
Universal Plug and Play (UPnP) is a protocol standard that allows easy communication between computers and network-enabled devices. This protocol is enabled by default on millions of systems, including routers, printers, media servers, IP cameras, smart TVs, home automation systems, and network storage servers. UPnP support is enabled by default on Microsoft Windows, Mac OS X, and many distributions of Linux.
The UPnP protocol suffers from a number of basic security problems, many of which have been highlighted over the last twelve years. Authentication is rarely implemented by device manufacturers, privileged capabilities are often exposed to untrusted networks, and common programming flaws plague common UPnP software implementations. These issues are endemic across UPnP-enabled applications and network devices.
The statistics in this paper were derived from five and a half months of active scanning. UPnP discovery requests were sent to every routable IPv4 address approximately once a week from June 1 to November 17, 2012. This process identified over 81 million unique IP addresses that responded to a standard UPnP discovery request. Further probes determined that approximately 17 million of these systems also exposed the UPnP Simple Object Access Protocol (SOAP) service to the world. This level of exposure far exceeded the expectations of the researchers.
This paper quantifies the exposure of UPnP-enabled systems to the internet at large, classifies these systems by vendor, identifies specific products, and describes a number of new vulnerabilities that were identified in common UPnP implementations. Over 1,500 vendors and 6,900 products were identified that are vulnerable to least one of the security flaws outlined in this paper. Over 23 million systems were vulnerable to a single remote code execution flaw that was discovered during the course of this research.
Rapid7 worked with CERT/CC to notify the open source projects and device manufacturers vulnerable to the issues described in this paper. Unfortunately, the realities of the consumer electronics industry will leave most systems vulnerable for the indefinite future. For this reason, Rapid7 strongly recommends disabling UPnP on all internet-facing systems and replacing systems that do not provide the ability to disable this protocol.
More information at Rapid7’s associated blog post.