A report by security company Rapid7 on Tuesday brought attention to a set of vulnerabilities in UPnP that puts millions of users at risk. According to the research paper, more than 80 million unique IP addresses "were identified that responded to UPnP discovery requests from the Internet", and at least half of those were vulnerable to at least one security vulnerability the researchers used to analyze the security of devices.
Attackers can take advantage of the vulnerabilities to execute code remotely on vulnerable systems to steal passwords and files, place malware on the systems or take them over completely.
This paper quantifies the exposure of UPnP-enabled systems to the internet at large, classifies these systems by vendor, identifies specific products, and describes a number of new vulnerabilities that were identified in common UPnP implementations. Over 1,500 vendors and 6,900 products were identified that are vulnerable to least one of the security flaws outlined in this paper. Over 23 million systems were vulnerable to a single remote code execution flaw that was discovered during the course of this research.
The research paper contains an "immediate actions" page that recommends a set of actions for Internet Service Providers, Businesses and home users. Both Home users and businesses can run a scanner that the researchers have created to find out whether their local network is vulnerable or not.
A couple of options are available if a vulnerable endpoint is discovered. The first course of action would be to find out if an update is available. This is usually done by contacting the manufacturer of the device, e.g. router, or searching on the manufacturer's website for updates. If there is no update, users may want to consider disabling UPnP on the device or replacing it if that is not possible at all.
A blog post on the Rapid7 website highlights how Mac and Linux users can scan networks for vulnerable devices.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.