Millions of PCs exposed through network bugs, security researchers find

Millions of PCs exposed through network bugs, security researchers find

Summary: Experts say that common networking standards are placing our devices and data at risk.

TOPICS: Networking, Security

Common bugs in networking systems are placing PCs, printers, and storage devices at risk, according to security researchers.

(Credit: Rapid7)

According to the security team at Rapid7, technology used worldwide in both routers and standard networking equipment is making it possible for hackers to potentially infiltrate approximately 40 million to 50 million devices worldwide.

The vulnerability lies in the standard known as Universal Plug and Play (UPnP). This standard set of networking protocols allows devices, such as PCs, printers, and Wi-Fi access points, to communicate and discover each other's presence. After discovery, devices can be connected through a network in order to share files, printing capability, and the Internet.

In a white paper released today, researchers from the security software maker said that while UPnP might make network setup cheaper and more efficient, it harbours a severe security risk.

The paper focuses on programming flaws in common UPnP discovery protocol (SSDP) implementations, which can be exploited to crash the service and execute arbitrary code, the exposure of the UPnP control interface (SOAP) on private networks, and programming flaws in both UPnP HTTP and SOAP overall.

Over 80 million unique IPs were identified that responded to UPnP discovery requests from the Internet due to the "misconfiguration" of the UPnP SSDP discovery service across thousands of products. Over 73 percent of all UPnP instances discovered through SSDP were derived from only four software-development kits (SDKs).

In addition, the UPnP SOAP service was found to provide access to device functions that should not be allowed from distrusted networks--such as opening holes in a firewall.

Rapid7 also said that the two most commonly used UPnP software libraries both contain remotely exploitable vulnerabilities. For example, in the case of the Portable UPnP SDK, "over 23 million IPs are vulnerable to remote code execution through a single UDP packet." A patch has been released, but it will take a long time before this patch is included in vendor products, according to the firm.

The paper states:

In most cases, network equipment that is "no longer shipping" will not be updated at all, exposing these users to remote compromise until UPnP is disabled or the product is swapped for something new. The flaws identified in the MiniUPnP software were fixed over two years ago, yet over 330 products are still using older versions.

The team's findings are below.

rapid7 white paper networking security vulnerability flaw
(Credit: Rapid7)

The researchers say that over 1,500 vendors and 6,900 products were identified and vulnerable to at least one of these security flaws. Vendors with vulnerable products include Belkin, Linksys, and Netgear. These flaws, unless disabled or fixed, could allow hackers access to confidential business files, passwords, or grant them control over devices including printers and webcams remotely.

Chris Wysopal, chief technology officer of security software firm Veracode, told Reuters that the publication of these findings would bring widespread attention to UPnP, commenting:

This definitely falls into the scary category. There is going to be a lot more research on this. And the follow-on research could be a lot scarier.

The firm suggests that in order to combat the possible threat, end users, firms, and ISPs should identify and disable any UPnP endpoints within their systems and networks, and be aware that many devices come with UPnP enabled by default.

Topics: Networking, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Wow and this is news?

    1. Steve Gibson (you know, that Old Crank at Gibson research) has been warning us about UPnP for YEARS (over a decade at least).
    2. Looks like Anonymous (among others) have long figured this out. (ROFLing at recent hacks to the US gub'ment)

    (BTW not poking fun at you Charlie, just the news in general)
    • Perspective

      I think the proper perspective isn't the original pronouncement that this was a vulnerability, but that it still exists, in very large quantities, and with the evolution of threats today, it's importance has changed drastically.
    • Please don't quote Steve Gibson....

      ....If you wish to be taken seriously. Many others have warned about this before security researcher (cough) Steve Gibson jumped on the band wagon.

      It is criminal that routers are still arriving on peoples doorsteps with Upnp enabled by default.
      Alan Smithie
      • Mnay of us heard Steve's warnings about this first

        Not saying he was the first, but for many of us his warnings about this issue were the first we heard.

        I know he has detractors, but it should take away from the fact that he was right about this. Facts are facts.
        • *shouldn't

          *shouldn't (wish I could edit posts!)
          • You can

            Original text
          • Oops, my mistake... you can't

            Confused this web site with another
  • Uhm, yeah...

    When you think about it, this seems kind of obvious. Any type of automated service generally introduces security issues of varying degrees. Convenience and security tend to make lousy bedfellows.
  • Well, this is ironic...

    I downloaded the software linked in the article to scan for any potential vulnerabilities in my network, and upon running it, was prompted to install the Java Runtime Environment...which, last I heard, still has serious unpatched vulnerabilities. Damned if you do, damned if you don't.
  • Doesn't matter how many times you tell people...

    Doesn't matter how many times you tell people... all the right people who need this aren't listening and all the wrong people who shouldn't use this are. Eventually people do learn though after being hacked a few times.. good job! *facepalm*
  • LOL

    Kind of ironic that in order to run the scan you need to have the Java installed (which I uninstalled years ago). You would think that a firm concerned with security issues wouldn't even consider using Java. LOL
  • Tool to check your router for the UPNP Bug

    Hi Guys,

    a few tools have popped up to check your router for the UPNP bug. ShieldsUp, Heise amongst others. My favorite is at - >50000 Scans so far, so seems to be pretty popular.