UPnP: Too Universal, Too Insecure

Universal Plug and Play (UPnP) is a standard developed by the UPnP Forum with the intent of making network devices easier for the home user to manage.  UPnP allows for easy discovery and basic administration to be performed automatically on these devices.  One potential use for UPnP would be allowing media devices to locate network shares and NAS devices, thus making this media available on the device quickly and automatically.  UPnP is also often utilized to communicate to home-based routers; UPnP allows for queries regarding external IP address, open ports and even opening or closing NAT ports on the firewall.  The process, known as Simple Object Access Protocol (SOAP) within UPnP documentation, is so seamless that users are not even aware it’s occurring.  Many home routers have this feature and users have no idea they are even using it.

 

Good Idea for Many Users, but Is It Safe?

This has always had me weary as a security risk, since malware would no longer need to run something equivalent to a reverse shell but could open NAT ports for trojan services.  Reverse shells were easier to stop because they have to leave a clear path back to their attacker within the code.  To make matters worse, the most popular UPnP device suites have been shown to be terribly insecure.  Even this embarrassing security situation doesn’t result in heavy risk, as UPnP is intended for home environments only and only for internal networks.  In other words, an attacker (or their malware) would have to be inside your home (or on your WiFi) to exploit UPnP with proper implementation.

 

Doesn’t Sound So Bad, Does It?

Turns out it is bad.  A new report published this week from Rapid7 documents their attempts to gauge the exposure of UPnP on the internet.  They found 81 MILLION(!) devices on the internet that responded to UPnP discovery requests.  To put this in perspective, the report mentions this is more than all the IP addresses assigned to the nation of Canada and 2.2% of the entire internet.  20% (more than 16 million) of these devices accepted SOAP commands, effectively allowing anyone on the internet to gain control over these devices and access to any networks they may be protecting.  Suddenly, an attacker would no longer need to be within your network to exploit UPnP weaknesses!

 

So What’s the Remediation?

Disable UPnP.  UPnP introduces a lot of risk to an environment in the first place and this report has shown how badly implemented UPnP really is.  They reported 73% of UPnP instances show fingerprints suggesting they utilize one of four development kits.  Two of these kits are widely known as remotely exploitable.  Many vulnerabilities have been found, however networking devices, particularly those of home users, rarely receive firmware updates even when they are available.  At the time of this writing, a new vulnerability was just discovered two days prior.  Vendors have already been notified and responded with proper patching, but who knows where the security vulnerabilities end on UPnP.  It should be no surprise that what started as a dangerous idea grew into a dangerous implementation.