Subscribe to the InfoTech eNewsletter

infoTECH Feature

January 31, 2013

The Flaws of UPnP Exposed: Security Experts Say Disable it

Warning! Universal Plug and Play, or UPnP, may enable simple and robust connectivity to stand-alone devices, but it does not implement its own authentication and authorization mechanism or provide security against hackers.

UPnP is an open, industry standard that has replaced PnP and uses Internet protocols to enable consumer electronic networking devices, appliances (wired and wireless) and developed applications to have their presence discovered automatically, without configuration or a user’s intervention.

From a security architecture viewpoint, UPnP is a loophole that places tens of millions at risk. This is seen as one of its major drawbacks.

For security reasons, the U.S. Department of Homeland Security (DHS) has raised concerns on this communications protocol; it warns UPnP users to disable it (if possible); along with restricting networking protocols and ports, to include the Simple Service Discovery Protocol (SSDP) and Simple Object Access Protocol (SOAP) services, as there is a risk for millions of users’ hardware components of being exposed to common network bugs.

The security team at Rapid7, a provider of security risk intelligence solutions, in a white paper  released this week, provided insight on what they discovered: Their research revealed that between 40 and 50 million network-enabled devices can potentially be compromised remotely as a result of programming bugs in common UPnP implementations.

Like other bugs in networking systems, this security flaw for UPnP makes hardware and software components vulnerable to attacks by hackers, declared Rapid7; it cautioned users to be aware that they could be prone to malware, denial-of-service (DoS) attacks and, worse, lose control remotely of one or more hardware devices as a result of one’s identity and password being compromised.

By default, UPnP is enabled on many networking equipments. If possible, disable it!

Users are advised to use UPnP at their  own risk, or acquire the extension of the UPnP specification called UPnP-UP (Universal Plug and Play - User Profile), which can help manage user profiles and control access to UPnP-enable devices and applications. Otherwise, they should consider disabling UPnP altogether as DHS recommends, as it could lead to exploitable vulnerabilities.

This news on UPnP should raise a red flag for millions of networking end users. Even though the standard makes it an efficient means for machines to discover each other's presence, using it could trigger a severe security risk, warns DHS, Rapid7 and the CERT Coordination Center.

Want to learn more about the latest in communications and technology? Then be sure to attend ITEXPO Miami 2013, happening now in Miami, Florida.  Stay in touch with everything happening at ITEXPO (News - Alert). Follow us on Twitter.

Edited by Brooke Neuman

Subscribe to InfoTECH Spotlight eNews

InfoTECH Spotlight eNews delivers the latest news impacting technology in the IT industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter

infoTECH Whitepapers