Universal Plug and Play - New Report on an Old Problem
February 22, 2013
In the dark ages of personal computers (1980′s and 90′s), you either needed to be a computer geek or have access to one if you wanted any device to work with your computer.
You had to go through a complicated driver installation process, and possibly replace system files.
If someone who was used to the process of adding a network card to a system today looked at the process of how to do it in 1989, they would swear that the early computer user was practicing witchcraft.
Today, when you plug something into your computer it lets you know that it detected something and can either use the default driver (assuming one exists), or you can choose your own. My how the world has changed.
The technology that allows this type of communication between devices is known as Universal Plug and Play (UPnP). It was designed to allow devices on the same network to communicate to each other and for systems to control aspects of each other without over complicating the process. It makes adding devices to a network much more convenient, but convenience and security are always diametrically opposed.
In other words, unlimited (and poorly patched) UPnP devices are ripe feeding grounds for computer hackers who want into you system.
In a recent report made by Rapid 7, a Internet security firm, there are approximately 40-50 million devices exposed to the Internet with a host of UPnP vulnerabilities. The real issue is that UPnP was never designed to be exposed to the Internet and security was never a consideration in its design.
On top of that, early versions of it were easy to infiltrate and force the affected devices to run malicious code. Several current devices are still running the vulnerable version of UPnP because their manufacturers did not update the code on their hardware.
Since this blog focuses on the security of retailers, why am I including this report?
The simple answer is that if you are running a switch, printer, router, or other device that is UPnP enabled, you are potentially exposing your network to computer hackers. If you take credit cards, and have to comply with PCI, then section 6 (which asks about applying security patches), and section 11 (which includes internal vulnerability scans and penetration testing) become much more critical if you have UPnP devices on your network.
The first vulnerability I personally ever read about on UPnP was exposed in 2001. 12 years later, and not much has changed on this front. UPnP should not be enabled if you are concerned about security.
If you must use it because of how your network is put together or managed, than at least know that you are running the latest versions of the technology that are less vulnerable to attacks. If you are unsure of where you stand, find a modern day geek (or at least your technology provider) and ask.