Universal Plug and Play
April 8, 2009,
Here at Loohuis Consulting we care about security and try to do everything in our power to make our servers run reliably. But server security is just one thing. Obviously the Internet is more than servers. Most people are connected with broadband connections like DSL and cable. The small routers often have software that is of questionable quality. While these devices often perform well when they are dealing with input that is expected, they are not doing too well with malformed data, which is nearly always what crackers send to trick programs into doing things they are not intended to do.
We want to make the Internet a little bit more secure, which is why we devote part of our research to security. One of the protocols that is in widespread use and which we've studied extensively is Universal Plug and Play, or UPnP in short.
Universal Plug and Play is a protocol that makes adding networked services to a LAN as easy as plugging a USB device into a computer. No interaction on the part of the user is required to make services work, it is just plug and play. This is a good thing for Joe Random User, who does not want to fiddle with a lot of settings he does not even remotely understand. The way that UPnP was designed back in the late 1990s assumes that there is an implicit trust relationship between devices on a LAN. This is questionable in our opinion and combined with sloppy design of some UPnP applications this has led to situations where UPnP is actively abused by malware, with the Conficker worm being the most recent example.
Since August 2005 we have been doing research into UPnP vulnerabilities, which has been documented on the UPnP Hacks website. A few vulnerabilities we found were turned into CVE reports (Linksys WRT54G, ZyXEL P-335WT, Sitecom WL-153, Edimax BR-6104K), while a lot of other vendors fixed their vulnerabilities silently. We are in regular contact with vendors regarding UPnP (in)security.
Our research has covered Internet Gateway Device machines (routers and DSL modems) and MediaRenderers (mediaplayers/TVs) and we're looking at other profiles too.
Loohuis Consulting can check devices and stacks for vulnerabilities. If you are a company that makes products that use UPnP and it needs to be checked for UPnP vulnerabilities we can help.