There are days when I read a news story and wonder if there is anything involving electronics that doesn’t have a security flaw. Today was one of those days.
Rapid7 discovered a security flaw in Universal Plug and Play (UPnP) and developed a white paper describing the flaw:
Over 80 million unique IPs were identified that responded to UPnP discovery requests from the internet. Somewhere between 40 and 50 million IPs are vulnerable to at least one of three attacks outlined in this paper. The two most commonly used UPnP software libraries both contained remotely exploitable vulnerabilities. In the case of the Portable UPnP SDK, over 23 million IPs are vulnerable to remote code execution through a single UDP packet. All told, we were able to identify over 6,900 product versions that were vulnerable through UPnP. This list encompasses over 1,500 vendors and only took into account devices that exposed the UPnP SOAP service to the internet, a serious vulnerability in of itself.
What’s at risk? Passwords and documents themselves could be hacked into. Or a hacker could actually take control of a machine on the network.
UPnP is the set of protocols that allow our network devices to recognize other devices on the same network. If you are able to send documents to your printer wirelessly, you are taking advantage of UPnP, for example. UPnP is geared primarily to residential networks, rather than in the business setting, but think of how many people telecommute or spend time working at home. Anything that is at risk for personal computer users has the potential to affect corporate data.
While right now it’s fairly time-intensive and difficult to exploit the newly discovered flaws remotely, it’s likely that there will be ready-made attack tools or “exploits” available for these flaws soon. Once available, it’s easy for attackers to take advantage of the flaws. Unfortunately, it could be a while until we see a fix. According to Wired:
Rapid7 says there are fixes available for the software libraries to fix the vulnerabilities, but each device manufacturer that is affected would have to build updates for each of its products to fix the flaws.
So Rapid7’s suggestion? It is right there in the title – unplug. Disable UPnP. Yes, it might be inconvenient, but this is one instance where being inconvenienced is definitely better than the alternative.