Security Flaws in UPnP Expose Millions of Networked Devices to Remote Attacks
Security experts from Rapid7 have recommended disabling the UPnP (Universal Plug and Play) protocol on network-enabled devices. This is to prevent hackers from exploiting inherent flaws in the UPnP protocol to gain unauthorized access to their networks remotely.
The findings by Rapid7 were the result of a research project that spanned the last six months of 2012. During the project, the security experts found that over 40 to 50 million of networked devices, slightly over 2% of public IPv4 addresses, responded to UPnP discovery requests from the Internet. With the inherent flaws of the UPnP protocol, these devices may become targets of hackers. The researchers pointed out such remote attacks can be triggered by the transmission of a single UDP packet.
Rapid7 has published their findings in a white paper that details the eight security flaws uncovered from their research project. They have recommended disabling the UPnP protocol on all supported network devices. For those who have essential services leveraged on the affected networking protocol, they have made available a free tool to "...to verify the safety of your network's UPnP implementation."
The onus is currently on network equipment and software providers to issue security patches to address these flaws. Portable UPnP, one of the four major UPnP libraries affected, has already released a patch that resolves these security loopholes.
UPnP is a networking protocol that allows software and devices to automatically configure the opening and forwarding of ports on managed network equipment that include broadband routers, switches or VoIP gateways. For a consumer end-user, the UPnP protocol is a zero-configuration technology that is particularly useful for servers that host files for store data. Software like P2P applications and games will make use of UPnP to configure incoming data connections to their attached routers. In the absence of UPnP, users must manually configure port forwarding rules, together with manual IP address assignment through their router administration utilities to ensure their hosted applications receive their data feeds.