Universal Plug and Play

Armijn Hemel, April 8, 2009, 4870 views.

Tags: , , ,

Here at Loohuis Consulting we care about security and try to do everything in our power to make our servers run reliably. But server security is just one thing. Obviously the Internet is more than servers. Most people are connected with broadband connections like DSL and cable. The small routers often have software that is of questionable quality. While these devices often perform well when they are dealing with input that is expected, they are not doing too well with malformed data, which is nearly always what crackers send to trick programs into doing things they are not intended to do.

We want to make the Internet a little bit more secure, which is why we devote part of our research to security. One of the protocols that is in widespread use and which we've studied extensively is Universal Plug and Play, or UPnP in short.

Universal Plug and Play is a protocol that makes adding networked services to a LAN as easy as plugging a USB device into a computer. No interaction on the part of the user is required to make services work, it is just plug and play. This is a good thing for Joe Random User, who does not want to fiddle with a lot of settings he does not even remotely understand. The way that UPnP was designed back in the late 1990s assumes that there is an implicit trust relationship between devices on a LAN. This is questionable in our opinion and combined with sloppy design of some UPnP applications this has led to situations where UPnP is actively abused by malware, with the Conficker worm being the most recent example.

Our research

Since August 2005 we have been doing research into UPnP vulnerabilities, which has been documented on the UPnP Hacks website. A few vulnerabilities we found were turned into CVE reports (Linksys WRT54G, ZyXEL P-335WT, Sitecom WL-153, Edimax BR-6104K), while a lot of other vendors fixed their vulnerabilities silently. We are in regular contact with vendors regarding UPnP (in)security.

We have given talks about UPnP (in)security at various conferences, including SANE 2006, FOSDEM 2008 and ELC Europe 2008.

Our research has covered Internet Gateway Device machines (routers and DSL modems) and MediaRenderers (mediaplayers/TVs) and we're looking at other profiles too.

Our services

Loohuis Consulting can check devices and stacks for vulnerabilities. If you are a company that makes products that use UPnP and it needs to be checked for UPnP vulnerabilities we can help.

Social networking: Tweet this article on Twitter Pass on this article on LinkedIn Bookmark this article on Google Bookmark this article on Yahoo! Bookmark this article on Technorati Bookmark this article on Delicious Share this article on Facebook Digg this article on Digg Submit this article to Reddit Thumb this article up at StumbleUpon Submit this article to Furl


respond to this article