SECURITY ALERT: Universal Plug and Play Vulnerability
Security research firm Rapid7 has identified a serious vulnerability in networking software known as Universal Plug and Play (UPnP). This UPnP component is installed in almost every network router, and is present in the Windows and Mac OS X operating systems. If your router or computer is exposed, you MUST take action to avoid the possibility of hacker attacks. Here's what you need to know, in simple terms...
What is the UPnP Security Vulnerability?
Without getting too technical, UPnP is a software component that is used by many computers, internet routers, and networkable devices. Its purpose is to make it easy to discover, connect and access networked devices such as computers, printers, webcams, DVRs, mobile devices and security systems. But serious flaws in the UPnP software makes it possible for hackers to access, disable, take over or generally wreak havoc with exposed devices using UPnP.
Because UPnP allows certain network requests to pass through your firewall, hackers could potentially access any file on vulnerable computers, steal passwords, or use compromised computers to launch other sorts of attacks. The problem is NOT limited to Windows computers. The Mac OS X and some Linux operating systems use this same Universal Plug and Play software component. For more technical details, see the US-CERT Vulnerability Note VU#922681.
The folks at Rapid7 ran some tests and found that 40-50 million networked devices are vulnerable to these UPnP flaws. The good news is that an updated version of the UPnP software known as libupnp is available. The bad news is that end users can't simply apply this patch. The updated libupnp software must be integrated by software and hardware developers into the affected systems and devices. And that could take weeks or months.
So it's important that you run a few simple tests to find out if your computer, router or networked devices are vulnerable to UPnP attacks. And if so, it's essential that you take action to protect yourself.
Checking For UPnP Vulnerabilities
You can run the Rapid7 Router Security Check to test your router and determine whether it is vulnerable to external attack from the Internet. If your router is NOT vulnerable, you'll see "Congratulations! Your router did not respond to a UPnP discovery request."
To check for internal exposure, Windows users can download Rapid7's free ScanNow for UPnP tool. (Linux users should use the Metasploit tool instead. Mac users, look here for instructions on using Metasploit on Mac OS X.) After ScanNow completes, skip to the bottom of the page and look at the Overview of Results section. If it shows a zero under Exploitable, you're in good shape.
If these two checks show no vulnerabilities, you don't need to do anything further. However, if a vulnerabilty is present, you need to turn off UPnP in your router.
Unfortunately, it's not possible for me to give simple instructions on how to accomplish that task. There are dozens of router manufacturers, and they all use different interfaces and terminology in their configuration screens. The folks at US-CERT (the US Department of Homeland Security's Computer Emergency Readiness Team) have compiled a list of router vendors, along with links to further information provided by those vendors for dealing with the UPnP security issue. If instructions for your router are not found there, and your router was supplied or installed by your Internet Service Provider, I suggest you contact them for assistance with updating your router settings. If you purchased and installed your own router, my best advice is to search the web for "disable upnp on XYZ router", where XYZ is the router manufacturer.
If you're running Windows, I also recommend that you turn off the UPnP services that are enabled and running by default on most Windows systems. To do so:
- Click Start, type services.msc in the search box, hit enter
- In the services list, find SSDP Discovery
- Double click it to open the Properties panel.
- Set Startup Type to Disabled
- Click the Stop button under Services Status.
You may see a message that this will also stop the "UPnP Device Host" service. That's fine. I do want to give a caveat here... After reading everything I could find about this UPnP issue, I'm not 100% sure that disabling these Windows services is absolutely necessary. But I'm reasonably sure that it can't hurt. If something doesn't work after doing so, you can undo those changes easily.
Do you have any addtional information on the UPnP vulnerability? Post your comment or question below...
This article was posted by Bob Rankin on 31 Jan 2013
|For Fun: Buy Bob a Snickers.|
Geekly Update - 30 January 2013
The Top Twenty
Do You Need Mobile Security Protection?
There's more reader feedback... See all 26 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- SECURITY ALERT: Universal Plug and Play Vulnerability (Posted: 31 Jan 2013)
Copyright © 2005 - Bob Rankin - All Rights Reserved