Last week security researcher HD Moore unveiled his latest paper "Unplug. Don't Play," which looked into vulnerabilities in popular Universal Plug and Play (UPnP) implementations.
What is UPnP? Paul Ducklin explained the principles and the reason behind it in his recent article about insecurity in video cameras, but the simple version is this: in my opinion, UPnP is one of the worst ideas ever.
Let's put it this way: UPnP is a protocol designed to automatically configure networking equipment without user intervention.
Sounds good, right? Until you think about it. UPnP allows things like XBoxes to tell your firewall to punch a hole through so you can play games.
UPnP also allows malware to punch holes in your firewall making access for criminals far easier.
Generally speaking it is a bad idea to implement something that can disable security features without authentication or the knowledge of the person controlling the device.
So we know the dangers of rogue devices/software on the inside exploiting UPnP, now imagine if UPnP managed to listen on the outside.
We don't have to imagine, as Moore has done the work for us. He discovered over 81 million UPnP devices on the internet, 17 million of which appeared to be remotely configurable.
As if that isn't bad enough, Moore also discovered ten new vulnerabilities in the two most popular UPnP implementations.
His scans show over 23 million devices vulnerable to a remote code execution flaw.
Vulnerable products include webcams, printers, security cameras, media servers, smart TVs and routers.
Read more: Naked security
0 comments:
Post a Comment