HD Moore, chief security officer of Boston-based Rapid7 and creator of the penetration testing tool Metasploit, has one overarching piece of advice for anyone concerned about recently exposed UPnP security flaws: Disable UPnP.
Moore made news last week with the announcement that there were as many as 50 million devices on the Internet that were vulnerable to remote exploit due to various flaws in the Universal Plug and Play (UPnP) protocol, used to make communication between devices on a network easier. But Armijn Hemel, owner of Tjaldur Software Governance Solutions, found himself asking: "Why did it take 4 or 5 years before it actually blew up this big?"
Moore and Rapid7 made news showing the scope of the problem, but the vulnerabilities in UPnP show an unfortunate, classic pattern in security: discovery, then silence.
Hemel is responsible for the UPnP hacks website, and he presented a paper at the SANE 2006 conference detailing UPnP security flaws. "When I first did my research back in the summer of 2005, my initial reaction to this stuff back then was, 'This cannot be possible.' I was shocked and outraged at the time."
As to why nothing much happened back at that time, Moore said, "I have two explanations for that. One is a negative one, and one is a really negative one. First, perhaps end-user devices like routers are not interesting at all. Maybe your data and your network activity is worth nothing."
And the really negative explanation? "Maybe there were easier targets out there."
Rapid7's research report, Security Flaws in Universal Plug and Play, described a slew of UPnP security flaws that were uncovered by Moore's critical.io project, an attempt to identify security flaws by surveying the Internet for UPnP endpoints, open TCP ports, Simple Network Management Protocol (SNMP) system descriptions and more. The unusually high number of open UDP/1900 ports -- those used for the UPnP protocol -- discovered during the project prompted Moore to investigate the issue with startling results. It was also UPnP traffic that originally prompted Hemel's interest in UPnP security.
Moore described UPnP as a "usually harmless" protocol designed to make devices easier to use for consumers with not much thought given to security issues. This isn't a problem until a UPnP-enabled device is exposed to the outside world.
Over 81 million unique IP addresses responded to UPnP discovery requests, with 20% of those exposing the Simple Object Access Protocol (SOAP). The exposure of SOAP could potentially give attackers the ability to, amongst other things, open holes through a firewall. Rapid7's findings indicated that over 1,500 vendors and 6,900 product models had products with the UPnP SOAP service exposed.
Amongst the most serious issues exposed by the critical.io project were found in MiniUPnP implementations prior to version 1.4. Most vendors were found to still be using version 1.0. Portable SDK implementations were plagued by the same issue of outdated firmware, as almost 25% of them were found to be running 10-year-old code.
Unfortunately for consumers with vulnerable devices, Moore indicated in a webinar that very little relief will be coming in the form of vendor patches. Rapid7 worked with CERT to disclose the UPnP vulnerabilities to as many vendors as they could identify, with most either not responding or indicating they don't plan to update older devices. And as Moore himself said, "A cost-sensitive customer won't go buy a new $100 router because of some security vulnerability they heard about on the Internet."
Hemel recommended that consumers facing an uncooperative vendor should vote with their wallets. "What I would definitely advise is: Find out the model of your router; find out if your vendor actually has a patch ready for it; if your device is vulnerable and your manufacture does not have a patch out for it, contact them; and if they refuse, never buy from that vendor again."
Left to the mercy of vendors, Moore pointed consumers to some free tools, including Rapid7's ScanNow UPnP, to determine whether their devices are affected, and if so, to either disable UPnP if possible or to contact their vendor. Though not as big a concern for enterprises, organizations should still utilize the ScanNow UPnP tool and Metasploit modules to detect any vulnerable devices, which could range from network printers to media servers.
How long will these flaws be a security issue? Indefinitely, according to Moore, "It's going to be very tough for this vulnerability to go away any time soon." He emphasized that the only way consumers can ensure they are protected against these flaws is to disable UPnP.
Hemel is left convinced that using UPnP safely in the future will require an overhaul of the protocol. "I think the only way we could fix this problem is if UPnP was redesigned; that is the only choice."