by Tony Yang (Home Network Researcher)
Earlier this year, users of Chromecast streaming dongles, Google Home devices, and smart TVs were inundated with a message promoting YouTuber PewDiePie’s channel. The hijacking is said to be part of an ongoing subscriber count battle on the video sharing site. The hackers behind it reportedly took advantage of poorly configured routers that had the Universal Plug and Play (UPnP) service enabled, which caused the routers to forward public ports to the private devices and be open to the public internet.
Many devices such as cameras, printers, and routers use UPnP to make it easy for them to automatically discover and vet other devices on a local network and communicate with each other for data sharing or media streaming. UPnP works with network protocols to configure communications in the network. But with its convenience comes security holes that range from attackers gaining control of devices to bypassing firewall protections.
After the aforementioned incident, we looked into UPnP-related events in home networks and found that many users still have UPnP enabled in their devices. We gathered data from our free IoT scanning tool, which can cover multiple operating systems, including Mac, Windows, Android, and iOS platforms. For this blog, we discuss data from January 2019.
|Device type||Total number of devices||Number of devices with UPnP enabled||Percentage of devices with UPnP enabled|
Table 1. Top device types with UPnP enabled
In January, we detected 76 percent of routers with UPnP enabled. Moreover, 27 percent of media devices, for example, DVD players and media streaming devices, also have UPnP enabled. Vulnerable UPnP implementations, when exploited, can turn routers and other devices into proxies to obfuscate the origins of botnets, distributed denial-of-service (DDoS) attacks, or spam, and render nearly impossible to trace what malicious activities are done. Reports have already previously surfaced where routers with vulnerable UPnP implementations were forced to connect to ports and even send spam or other malicious mails to well-known email services.
The IoT botnet Satori, for instance, has been infamous for exploiting a UPnP vulnerability. The vulnerability, designated as CVE-2014-8361, is a command injection vulnerability in Realtek SDK miniigd UPnP SOAP interface. A public advisory related to the vulnerability was released back in May 2015 with applicable mitigation, yet from recent data we gathered, many devices are still using older, potentially vulnerable UPnP versions.
Figure 1. UPnP-related results, with 1900 as the port, in Shodan (March 5, 2019 data)
We also expanded our scanning using the online search engine Shodan. A scan for the standard port used by UPnP, which is 1900, yielded a result of 1,649,719 devices searchable on the public internet. Well-known UPnP libraries were also listed in the search engine, with MiniUPnPd and Custom (Broadcom’s UPnP library) as what most of the searchable devices use.
|LibUPnP (Portable SDK/Intel SDK)||1%|
Table 2. Top three UPnP libraries in Shodan results (March 5, 2019 data)
UPnP-related vulnerabilities and current device implementations in home networks
Shodan results painted the scale of publicly searchable UPnP-enabled devices. With our own scanning tool, we looked into UPnP libraries in use at home and other small network environments and identified what could be the factors that make the devices vulnerable to attacks. In a nutshell, we found that most devices still use old versions of UPnP libraries. Vulnerabilities involving the UPnP libraries have been years old, are potentially unpatched, and leave connected devices unsecure against attacks.
Our IoT scanning tool data showed that 16 percent of those devices with UPnP enabled utilize the MiniUPnPd library. MiniUPnPd is a well-known UPnP daemon for NAT (network address translation) routers to provide port mapping protocol services. Interestingly, devices we detected have the old versions of MiniUPnPd installed: 24 percent use MiniUPnPd 1.0, 30 percent use MiniUPnPd 1.6, and only five percent of the devices use MiniUPnPd 2.x version (miniupnpd 2.1 is the latest version).
Table 3. MiniUPnPd distribution
Devices with old versions of the said daemon have to be protected against known and high-risk vulnerabilities. For example, CVE-2013-0230, a stack-based buffer overflow in the ExecuteSoapAction of MiniUPnPd 1.0, allows attackers to execute arbitrary code. CVE-2013-0229, a vulnerability in the ProcessSSDPRequest function in MiniUPnPd before 1.4, allows attackers to cause a denial of service (DoS) via a crafted request that triggers a buffer over-read. Then there’s CVE-2017-1000494, an uninitialized stack variable flaw in MiniUPnPd < 2.0 that allows attackers to cause DoS (segmentation fault and memory corruption).
Windows UPnP Server
We also found that 18 percent of the devices utilize Windows-based UPnP. These devices, Microsoft Windows XP machines (Windows NT 5.1) in particular, should check if the MS07-019 patch has been applied. (It is also important to note that Windows XP reached end of life in April 2014, meaning it’s no longer supported by Microsoft and security problems will be left unpatched.) Windows XP comes with UPnP functionality that is enabled automatically out of the box. The patch addresses the UPnP memory corruption vulnerability (CVE-2007-1204) that enables a remote attacker to run arbitrary code in the context of a local service account.
Libupnp (portable SDK for UPnP devices)
The portable software development kit (SDK) for UPnP devices (libupnp) is another well-known UPnP library which supports several operating systems. From our data, 5 percent of the detected devices use the libupnp library package. While not a significant number, we noted that most of the devices with the said library have versions older than 1.6.18/1.6.19 (the current version being 1.8.4). Users of versions before 1.6.18 have to be mindful of a stack-based buffer overflow in the unique_service_name function, designated as CVE-2012-5958, which allows remote attacks to execute arbitrary code via a User Datagram Protocol (UDP) packet.
Conclusion and Trend Micro Solutions
It could be tricky for users to determine if a device has a UPnP-related flaw or has been infected. Some devices could be hidden behind NAT, such that even if a vulnerability exists, the user may not see the impact immediately. To prevent attacks that exploit UPnP-related vulnerabilities, users should ensure that their devices are running updated firmware. If a device is suspected of being infected, the device should be rebooted, reset to the original factory settings, or, to err on the side of caution, altogether replaced. Unless enabling UPnP in devices is necessary for the network, it is advisable to disable the UPnP feature if the device allows. It is to be noted, however, that turning off UPnP may disable some functionalities, including local device discovery dependencies and ignored requests from devices.
Home users can also follow these measures for added security:
1. Scan home networks with the Trend Micro™ HouseCall™ for Home Networks tool and check which devices have their UPnP port 1900 open.
2. Go to the device’s settings page (e.g. router’s settings page) to disable UPnP.
3. Manually configure port forwarding settings if needed.
The Trend Micro Home Network Security solution can check internet traffic between the router and all connected devices. Our IoT scanning tool has been integrated into the Trend Micro HouseCall for Home Networks scanner.
Users of the Trend Micro Home Network Security solution are protected from UPnP vulnerabilities and related attacks via these rules:
- 1134286 WEB Realtek SDK Miniigd UPnP SOAP Command Execution (CVE-2014-8361)
- 1134287 WEB Huawei Home Gateway SOAP Command Execution (CVE-2017-17215)