back to article UPnP scan shows 50 million network devices open to packet attack

Exploit research has found over 6,900 networked devices from 1,500 manufacturers that are open to attack because of a flawed use of the Universal Plug and Play (UPnP) protocol, and IT managers and home users are being warned to check their networks for three major holes. "The results were shocking to the say the least. Over 80 …

COMMENTS

This topic is closed for new posts.
  1. Joe Drunk
    Facepalm

    Well that stinks.

    UPnP is not required but it sure makes things a lot easier! No reason to be used in corporate environment but can you imagine getting called every time your friends/relatives get a new game or gadget and they want you to either go there in person or guide them over the phone through manually permitting IP/Ports in their wireless router?

    1. Khaptain Silver badge

      There are other solutions

      Teamviewer, Logmein, VNC et al can do exactly what you need and outside of the corporate enviornment they are free, so no excuses there.

      UPnp creates a risk for your home network, the risk is up to you, can you afford to lose what you have or to become the next zombie host for [insert illegal activity here] .....

      It has its good points but they are outweighed by its negative points.

      Open up an FTP or Telnet server on one of your home machines, you will be very surprised to see how long it takes before that script kiddies come a knocking. Upnp is no differnet, its another surface to get attacked.

      1. koolholio

        Re: There are other solutions

        I could think of some instances where upnp may be required, for instance two users within the same address space require using ports between the ranges of such and such for a certain amount of time.

        What I believe this to mainly focus upon is explicitly external-facing devices. (which at least takes the remote out of the equation, but not neccessarily the local)

        A good network admin should monitor and have something in place for this kind of unusual activity anyway! UPnP, and later variants: SSDP and HNAP/SOAP has been around long enough?

        1. Lee Dowling Silver badge

          Re: There are other solutions

          I have disabled UPNP on not only every machine I've configured but every network too. In fact, I don't even think about it specifically - my network interfaces just don't expose anything to the net except those things I MAKE exposed, and there is nothing capable of responding to UPnP requests anyway (that's all sitting behind the firewall machine - Internet -> Firewall -> Network and the Linux Firewall doesn't know what UPnP even is).

          And I have NEVER had a problem, and nor have any of my users (in the school I'm in now, there is precisely ONE port-forward, accepting packets from precisely ONE IP (my home address) and redirecting them to precisely ONE internal IP (a remote-access server)). An ordinary person has NO NEED to forward a port, at all, ever, whatsoever. Skype works, FTP works, TeamViewer, media streaming, etc. all just work. Every game on my Steam list works perfectly online (except for Worms Revolution, but that's just crappy coding and not limited to just me having problems, and nothing to do with UPnP).

          If you want to set up a home game server, or HTTP server or whatever, I would class you in "not an ordinary person" and the two minutes it takes to learn how to make an exception for a single-port are not exactly taxing on such a user (and much more secure - everything OFF by default, and punch holes only where absolutely necessary).

          UPnP is not only dangerous (any application with any privilege on your computer can punch holes in your firewall to redirect external ports to wherever they like), but unnecessary. It's been switched off since the day I read about it after seeing it in my router's configuration page, and it's NEVER been turned on on any machine I own. It's stupid, and useless.

          Turn it off. See what you actually MISS.

          1. Ragarath

            Re: There are other solutions @Lee dowling

            You must play a very limited subset of games. Go out on the web and look up problems people have updating games, getting cheat prevention checks to work etc. most will take you to pages saying "Make sure port X or port Y or all these ports are open and forwarded to your machine". Then you have the problem of 2 or more machines at a location accessing the same service that you have forwarded to a single machine. Some games also update with a torrent structure, good luck with that on more than one machine! Yet you expect the lay person to be able to sort all this out themselves when all they want is for their game to work.

            Your post sounds more like a boast because you are so perfect and your way is the only way. If you cannot see the reasons for UPNP just because you have no use for it in your environment (YET) then it is shocking you even work in IT.

            It's not like we can use IPV6 for everything YET.

            1. Lee Dowling Silver badge

              Re: There are other solutions @Lee dowling

              I have a Steam account full of games. Over 500 at the last count. I play a lot of CS and similar games with "cheat prevention". Hell, I still technically use IRC occasionally for file transfer and all sorts. I've been gaming since DOS and once gamed over a network formed by a special DOS packet driver and some parallel and serial cables daisy-chaining machines together.

              My household is also not just me. Hell, half the time I'm gaming with someone else in the same house (my girlfriend and I often play on a remote server of mine - we both come from the same IP in that case to the exact same server but simple NAT means you will ALWAYS come from a different port - the server detects it the same as every game on the planet does - problem solved without lifting a finger or even noticing), on the same connection, who hasn't "tweaked" their machine at all (but I'm in control of the router which has ZERO UPnP options enabled and port-forwards only for things I need it for, not single applications - and certainly not games - running on my laptop). You can torrent from N machines simultaneously, for any number of N (may not be as fast as if I opened every port, but it works just the same). Hell, my girlfriend is never off Skype to her parents who also use Skype, from an Italian house with a router that doesn't even support UPnP (it predates anything like that). I haven't got any special setup - a cheap cable modem (used to be an ADSL router before that, but same thing applied there) with UPnP turned off, a software firewall on the machine in default settings (so yet-another-thing that gets in the way of port-forwards of UPnP doing its job anyway) and NOTHING plugged into programs about port-forwarding or anything else.

              The wireless in the house covers not just PC's and laptops but game consoles too, and even CCTV (which, admittedly, does have a single port-forward so I can access it remotely from my phone but also does NOT support UPnP anyway!). None of them have problems download, updating, streaming, or playing online (the only "problem" is sheer bandwidth if we're all watching iPlayer and doing things at the same time).

              I don't expect the lay-person to sort ANYTHING. There is nothing to sort. Everything works, unless you're running a SERVER. That's the only reason to have exposed ports. And if you're running a server, and exposed to the Internet, you should damn well know what you're forwarding and where and control it. But UPnP fixes this "problem" that you describe by letting ANY program on ANY computer on your network as ANY user to open ports to point at whatever they like, without anything in the way of decent authentication. It's literally a handful of lines to expose your port 139/445 on your laptop to the world as, say, 11139/11445 and then tell someone about it. For every legitimate program that "benefits" (i.e. the programmers can be lazy in implementation and lessen the cost of running a single external "connection handler" server), there are a million that will abuse it.

              I don't even use IPv6 yet because I refuse to abandon the NAT that provides this arrangement (and hence gives the need for port-forwarding and UPnP) BY DEFAULT. IPv6 supporters have something against NAT and won't support it, and though I'm all IPv6-ready and working, there's nothing I'll do about it until I can just translate the external address into an internal NAT'd address and thereby DELIBERATELY blocking internal services from being made external without my express knowledge. Because NAT'ing just causes me that few problems and solves that many that I won't do without it.

              Disable UPnP. Go do it now. Any problems you have will still be there, and you're unlikely to notice any difference. The worst that happens is you won't get as many incoming connections on a torrent swarm, but to be honest, the torrent protocol handles this wonderfully by getting others to act as intermediaries (sound familiar to running an external server?) and after a while you'll be at full-whack anyway.

              But, even if you're telling the truth, if your programs are that crappy that they can't detect two different users on the same IP but from different ports (and most of the "cheat prevention" things you mention are actually to stop ghosting so they are working EXACTLY as designed if they rely on one IP = all the same house, for instance), or can't knock their way out of a NAT'd network like just about every home broadband user on the planet has, then they really need to take a course in simple networking.

              1. Ragarath

                Re: There are other solutions @Lee dowling

                You are living in a different world from me. Or you do not play the same games, or are lying (500 games from steam whoop dee doo showing off again and it is utterly pointless to the discussion.)

                I can't remember the amount of times I have had to configure things like Punkbuster for so many of my friends because it needs to access a certain port for a certain game. This all stopped with UPnP.

                Not everything is initiated from the user side with these DRM / anti-cheat applications, although it is getting better. If you have played as much as you say you have you will have encountered this at some point, especially if you are running more than 1 client on that game.

                Go on update WoW on 2 PC's at the same time go on, one will revert to direct download, in fact as you have disabled UPnP both will go for direct download (Torrent).

                As I said before, in your use case it works, for most normal people it does not which is why UPnP exists in the first place. For people like you and I that know what we are doing we can make the decision to turn it off or on as required. Not everyone should have to take a networking course to use their PC.

      2. AndrueC Silver badge
        Thumb Up

        Re: There are other solutions

        > Open up an FTP or Telnet server on one of your home machines, you will be very surprised to see how long it

        >takes before that script kiddies come a knocking.

        I run FTP and Mail servers but it's the latter comes under sustained attack. For the past four months someone has been trawling through potential account names trying to get in. It's annoying but you have to live with it. Luckily I know something they don't (two somethings actually) so they are just wasting their time. It is a bit like living inside a fortress listening to the baying of wolves outside though :-/

  2. Slabfondler
    FAIL

    MAC users?

    "Linux and Mac users can get the same tool from Metasploit directly." - I don;t see anything for OSX on the Metasploit website, just Windows and Linux.

    1. J. R. Hartley
      Coat

      Re: MAC users?

      But sure Macs don't get viruses.

    2. Flabbergarstedbastard

      Re: MAC users?

      Google for "metasploit mac."

      You need to install macports to run it. If you do not know what this is or how to use google you will have a hard time using Metasploit.

  3. Anonymous Coward
    Anonymous Coward

    Am I right in thinking that unless you specifically need an incoming connection via the internet such as remote access, torrents, etc. that you could just set the routers firewall to block all incoming connections to prevent attacks?

    1. Chemist

      "Am I right in thinking that unless you specifically need an incoming connection "

      I think it is implementation dependent - if your device has an option for uPNP on/off its best off. They often default to on.

    2. SImon Hobson Bronze badge

      That's not enough

      The whole point of uPNP is that $random_device can just ask the router to open a hole and redirect traffic. So you "think" you have your firewall locked down, then some device comes along, asks to bypass it, and your router obliges with no questions asked. So there you are, smug in the knowledge that it's all locked down, but you have potentially multiple open ports you never even guessed might be there.

      In most cases, the user may never have even guessed that the device is doing it - see the earlier Reg article on DVRs that a) expose themselves on your internet connection, b) have flaws which means any logins can be bypassed, and c) are probably installed by people who don't know much about networks.

      The only secure option is to disable uPNP - and hope the device manufacturer actually bothered to honour that.

      Still, when the local $law_enforcement come knocking on the door, it's yet another defence.

  4. PiltdownMan
    WTF?

    A security scanner that requires Java ! WTF?

    I'm not installing the security sieve that is Java, to check for security holes! Sounds a bit counter productive.

    1. Anonymous Coward
      Devil

      Re: A security scanner that requires Java ! WTF?

      The irony, the irony!

      You beat me to it, there. A security scanner than requires you to install one of today's biggest security risks? Forget it. Better the devil you don't know than the devil you do, in this case. And open-source fanbois, check your facts rather than your navels before you start flaming.

    2. djack

      Re: A security scanner that requires Java ! WTF?

      Metsploit is written in Ruby.

      There is an optional desktop GUI, Armitage, which is written in Java. Like any other desktop application, it does not run in the applet sandbox - which is where the security concerns lie.

    3. Alan Edwards
      Thumb Up

      Re: A security scanner that requires Java ! WTF?

      Run the scanner in a virtual machine. That way you don't need to put Java on the main machine, just the VM.

  5. gregthecanuck

    Comedy gold my friend

    Java is required to run the scanning tool.

    Hee-hee, hohohoho, hahahahaha, whaaaa, hahahaaha hhhhoooooooo...

    1. Anonymous Coward
      Anonymous Coward

      Re: Comedy gold my friend

      It's like rain on your wedding day.

      1. NogginTheNog
        Coat

        Re: Comedy gold my friend

        Surely that's ironic?

  6. sml156

    lol install java to find out if you are vulnerable to this exploit

  7. Anonymous Coward
    Anonymous Coward

    Free scan tool that wants to know all your details

    Looks like a scam to me. Also coded by a braindead idiot that thinks the whole world has US phone numbers....

    #FAIL

    1. beep54
      Facepalm

      Re: Free scan tool that wants to know all your details

      I scanned the EULA with EULAlyzer. First I have EVER received a report back that scary. Uh, no thank you for this puppy. Running away NOW!

    2. Anonymous Coward
      Anonymous Coward

      Re: Free scan tool that wants to know all your details

      > the whole world has US phone numbers....

      No problem, all US phone numbers begin "555" so just use that :)

  8. Richard Lucking

    Java?

    So, to test for the expoits, you need install Java - which is probably far more of a risk than the exploit being testing for...

  9. Anonymous Coward
    Anonymous Coward

    Security Fail

    Requires Java, automatically opens IE (disregarding default browser settings) for hyperlinks, has a EULA the size of an unabridged Webster's, and the "Community Edition" only allows scanning 32 IPs?

    Unhelpful and put out there purely as an advertising exercise.

    I hope postmaster@rapid7.com gets a lot of spamadvertising material.

  10. Anonymous Coward
    Anonymous Coward

    What IT manager wouldn't be blocking incoming connections coming in from the Internet? Next, NAT would be used and thus, the inbound connections wouldn't have a translation to use to get inside.

    The ports UPnP uses are not common ports where one would have open to the Internet anyway. If they did, it would go to a device that wouldn't even know what UPnP is.

    Most business products don't actually support UPnP anyway.

    1. Anonymous Coward
      Anonymous Coward

      There are tools for bypassing the NAT.

      UPnP can use pretty much any port to any IP, thus locking it to a RHOST of "local NAT'd ip" has been suggested?

      Do you know the difference between your types of NAT? and UPnP is in alot of business products!

  11. John Smith 19 Gold badge
    Unhappy

    3 *different* sets of fail in in one stack.

    Here's the thing.

    A lot of this software is embedded. The question is how much of it can be updated?

    And just to put the icing on this particular cake does anyone think some of these gadgets don't even have the option to disable this "feature"?

    Mfg love to stick new features in their kit and their worried about time to market.

    I suspect this will remain an ongoing issue until enough fines/damages/bodies accumulate that mfg start taking this issue seriously.

    I'm not sure how effective it would be for PnP but you can get your ports scanned at Gibson Research www.grc.com

  12. Anonymous Coward
    Anonymous Coward

    You have to give all ur information to use use the scan program! Looks like a big scam to me. Why would they need every ones (Name, address, Email, and even phone number) Just to use the tool? Looks like a great way to get a list of people for identity theft!

    1. Callam McMillan

      If I get asked to fill out an online form like that, I am known as Mr. Mickey Mouse - email: mickey@mouse.com and a similar style of phone number. Works wonders for keeping spam away!

  13. Anonymous Coward 15

    Most home users use the ISP's gear

    Blame the ISPs if they're vulnerable out of the box.

  14. Great Bu

    "...... you may as well flip a coin to see if it's vulnerable,"

    Ok, I got 'Tails' - is that bad ?

    1. Ken Hagan Gold badge
      Unhappy

      Re: "...... you may as well flip a coin to see if it's vulnerable,"

      A security heads-up is usually a good thing, so, yeah, I think tails is bad.

  15. Anonymous Coward
    Anonymous Coward

    Time to give TELNET the FINGER

  16. jason 7
    Facepalm

    So what are the steps for the average user to take......

    ....to mitigate this in the simplest and least crippling way?

    1. El Presidente

      Re: So what are the steps for the average user to take......

      Disable UPnP, check your chosen hardware manufacturer for updates, abandon those who don't update.

  17. Anonymous Coward
    Anonymous Coward

    http://seclists.org/fulldisclosure/2013/Jan/260

  18. Rawling

    "... was exposed via XML ..."

    Don't you mean exposed to the Internet? This was my main takeaway from the paper - yes, UPnP allows devices on your network to request holes in your firewall, but in 17 million cases they found routers allowing these requests from the Internet side of the router too.

  19. Tree

    Too confusing

    What's a user to do? I have a T-Mobile dongle for internet. How do I keep bad guys from stealing my bank account info or credit card number without using the command line or java? Unfortunately I use windows, too.

  20. The Alpha Klutz

    Presumably

    If you disable UPnP in the router, then it doesn't matter if other devices on the network still have it enabled?

    If devices want to fruitlessly send SSDP packets around then I don't really care - is it a problem?

This topic is closed for new posts.

Other stories you might like