Security experts warn of Universal Plug and Play security flaws


by CBR Staff Writer| 30 January 2013

About 40 million to 50 million devices were found vulnerable over three separate issues with the UPnP standard.

The US Department of Homeland Security's Computer Emergency Readiness Team (US-CERT) along with IT security firm Rapid7, have advised users to disable the UPnP feature that allows operating devices and printers through the internet.

According to researchers from the security firm, several buffer overflow vulnerabilities have been exposed in libupnp, which is the open source portable SDK for UPnP that may allow hackers to gain access to millions of vulnerable devices.

Rapid7 also reported that there were about 40 million to 50 million devices vulnerable over three separate issues with the UPnP standard.

The two most frequently used UPnP software libraries both comprised remotely exploitable vulnerabilities. In Portable UPnP SDK, about 23 million IPs have been found to be exposed to remote code execution via a single UDP packet.

Rapid7security researcher HD Moore said that the firm was able to identify over 6,900 product versions that were vulnerable through UPnP.

"This list encompasses over 1,500 vendors and only took into account devices that exposed the UPnP SOAP service to the internet, a serious vulnerability in of itself," Moore said.

The flaws could also enable attackers to access secret files, steal passwords, acquire full control over PCs and remotely access devices including webcams, printers and security systems.

The list of devices vulnerable to attackers include products manufactured by Belkin, D-Link, Cisco Systems' Linksys division and Netgear.

Linksys said in a statement: "We recommend Linksys customers visit our website to understand if their home router is affected, and learn how to disable UPnP through the user interface to avoid being impacted."

Post a comment

Comments may be moderated for spam, obscenities or defamation.

Join our network

756 people like this.
0 people follow this.

Security Intelligence

Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.