Devices’ UPnP Service Emerges as Key Threat to Home IoT Networks

Home connected device users are putting their IoT networks at risk by leaving exposed a common service devices use to seamlessly connect and communicate with each other, according to cybersecurity firm Trend Micro.

Hackers recently have been found to exploit the Universal Plug and Play (UPnP) service of poorly configured routers and home networking devices, as evidenced by an attack earlier this year that allegedly hijacked thousands of Chromecast streaming dongles, Google Home devices and smart TVs to play an ad for a YouTuber PewDiePie’s channel.

This event prompted Trend Micro researchers dig deeper into UPnP, discovering that the potential to exploit this service remains significant as many home users are leaving UPnP enabled–unknowingly or not–and often with older, unpatched versions of the service installed on devices, they said.

“In a nutshell, we found that most devices still use old versions of UPnP libraries,” wrote Tony Yang, a Trend Micro home network researcher, in a blog post. “Vulnerabilities involving the UPnP libraries have been years old, are potentially unpatched, and leave connected devices unsecure against attacks.”

Significant exploit potential

Many devices such as cameras, printers and routers use UPnP to facilitate their ability to automatically discover other devices on a local network, as well as communicate for data sharing or media streaming.

Using its IoT scanning tool, Trend Micro researchers gathered data about UPnP-related events in home networks, with worrying results.

Research collected in the month of January detected 76 percent of routers as well as 27 percent of media devices–such as DVD players and media-streaming devices–with UPnP enabled, according to Yang. The data covered devices running various operating systems, including Mac, Windows, Android and iOS platforms.

The key problem with vulnerable UpnP implementations is that when exploited, bad actors can turn routers and other devices into proxies to hide the origins of botnets, distributed denial-of-service (DDoS) attacks, or spam, making it nearly impossible to trace these malicious activities, according to Trend Micro.

Researchers cited reports in which routers with compromised UPnP services were forced to connect to ports or even send spam or other malicious e-mails to reputable e-mail services, they said.

Unpatched vulnerabilities

In its research, Trend Micro identified specific vulnerabilities in UPnP services that are active in devices in connected homes that leave them open for exploit.

One is the MiniUPnPd library, a well-known UPnP daemon for network address translation (NAT) routers that provide port mapping protocol services. Researchers found several existing critical vulnerabilities that allow hackers to execute unauthorized code or launch DoS attacks–among other things–using unpatched versions of the library, which were found in existing devices with UPnP enabled.

Specifically, 16 percent of devices with UpnP enabled were found to be using this library, and more often than not, an outdated version of it. The most current version of MiniUPnPd is 2.1; only five percent of devices with the library installed had a 2.x version, researchers found. Of the other devices, 24 percent of devices used MiniUpnPd 1.0 and 30 percent used version 1.6.

Trend Micro researchers also found unpatched versions of Windows software on devices identified in its January research that could allow a remote attacker to run arbitrary code in the context of a local service account using a known memory corruption vulnerability, advising users to apply an existing patch to avoid any issues.

A well-known portable software development kit (SDK) for UPnP devices, libupnp, being used by about 5 percent of the detected devices also could be problematic given the scenario that once again home users have older versions installed on devices, according to Trend Micro. This makes them susceptible to a vulnerability in the stack-based buffer overflow in the unique_service_name function of the SDK if the library remains unpatched, Yang wrote.

Protecting devices from UPnP exploits

Trend Micro ultimately had some good news and bad news for users with connected devices in the home in terms of preventing bad actors from exploiting any of the UPnP vulnerabilities researchers identified.

Yang acknowledged that “it could be tricky for users to determine if a device has a UPnP-related flaw or has been infected” because some devices could be hidden behind NAT, making it difficult for a user to see any immediate impact of an exploited vulnerability.

However, there are some relatively easy fixes users can implement if they’re worried that their devices’ use of UPnP is putting them in a state of security risk. Trend Micro advises that users ensure all connected-home devices are running updated firmware first and foremost.

If a user suspects a device has been compromised or infected, researchers suggest a device reboot and reset to original factory settings, or to just go ahead and chuck it out and replace it to be completely safe.

To avoid the potential for disaster due to UPnP altogether, users also can disable the feature on a device–if the device allows–unless it’s completely necessary for the network to use the service, Yang advised.

“It is to be noted, however, that turning off UPnP may disable some functionalities, including local device-discovery dependencies and ignored requests from devices,” he cautioned.

Comments are closed.