One of the most talked about stories last week was the vulnerability affecting around 40 million devices via the unplug and play (UPnP) protocol.
A detailed report authored by HD Moore, chief security officer of Rapid7 and inventor of the Metasploit project, claimed that between 40 and 50 million networked devices were vulnerable to attack due to the protocol being set to open by default and being present in printers, routers, media players and smart TVs, among many others.
He also discovered that over 81 million devices on the internet used the UPnP protocol, 17 million of which appeared to be remotely configurable, while his scans showed over 23 million devices were vulnerable to a remote code execution flaw.
To determine the scope of the threat, Rapid7 researchers scanned the IPv4 address space looking for devices that responded to UPnP queries (UDP port 1900) and found that over 81 million devices responded to their queries. They also learned that the majority of these devices use four common UPnP development kits, and that many of these development kits suffer from a variety of critical software vulnerabilities.
Causing concern to many researchers, this even led to the US computer emergency readiness team (Cert) to issue an advisory about the ‘multiple vulnerabilities' in the open source portable SDK for UPnP devices libupnp. “US-Cert recommends that affected UPnP device vendors and developers obtain and employ libupnp version 1.6.18, which addresses these vulnerabilities,” it said.
We have seen research papers go viral in the past and with good reason, but with the scope of this affecting so many and tapping into the ‘internet of things' concept of multiple-connected devices, this could prove to be a watershed moment.
Speaking with Moore, he said that the problem was that there were devices that were connected to the internet that should not have been. Ahead of the Rapid7 research, Moore said that there was some research done on it in the past, with some advisories issued in 2001 and some attention paid to some of the exposures in 2011, but he said that none of them really went in as deep or as wide as this recent report did.
“There's been partial coverage of this, there were issues before in the past but no one had really gone and done a full assessment of the entire internet and then going deep on the specific software libraries that were most commonly used,” he said.
“I've been running a larger, more comprehensive research project in the background that this is just part of, and one thing that stood out from that was there were almost as many UPnP exposed devices in that data set as the web servers I was finding. So this project is scanning a lot of different services and finding the information about what's exposed to the internet.”
While Moore confirmed that it was pretty tricky to exploit, he said it was really easy for an attacker to identify all the systems that are vulnerable and it is fairly straightforward to go about what they have or the next place to target.
The issue falls into three vulnerability categories: the main flaw that there is a vulnerability in the discovery protocol that make it exploitable; secondly that a lot of these devices also expose the user interface to the world; and thirdly that is a vulnerability in the software.
Asked if he was aware of any attacks or exploits in the wild, Moore said he had not seen anything but he suspected that in the coming weeks there would be more activity.
He said: “There was a researcher back in 2006/7 who I believe worked on an exploited interface. He was able to get remote access but the exploit itself was never made public.”
As this affects so many devices, I asked Moore what type of users this affects? He said it was mostly small businesses and consumers, while enterprises use more internally-developed protocols. “The main advice we give right now is make sure that your network is not vulnerable. If that's sorted out then understand what you have and figure out how critical they are,” he said.
He also confirmed that there was "a flood of responses coming from all the different hardware vendors" to the research, with Cisco's advisory stating that it is looking at the issue and that none of the devices it's looked at were vulnerable. “We're seeing still a fairly small response from all the vendors that are affected, most of the vendors have at least two months of work on it,” Moore said.
“For vendors who make a lot of consumer electronics, there's very little chance they're going to fix their devices they shipped two or three years ago. They'll only really focus on what they're selling today basically.”
Rapid7 did release a scanning tool, which it said had been downloaded 13,000 times as of a week ago, but the biggest story here is a flaw that affects so many in so many connected devices. Rather than the Java and Internet Explorer zero-day that have caused so many headaches and headlines in 2013, this may have much wider implications for the future of threats.