Universal Plug and Play gets way too universal


Despite its name, Universal Plug and Play (stylized as UPnP) was never meant to be as universal as it has gotten in the past week. UPnP is a plug-in that is pre-installed onto your operating system (usually Windows) and allows devices to recognize each other without the hassle of needing to set up each and every device separately. UPnP was first added to Windows XP, and has been a mainstay of computers and laptops ever since.

However, a loophole has allowed UPnP to live up to its name—and not in a good way either. The New Scientist has reported that UPnP has caused millions of devices to be accessible—and in many cases controllable—via the Internet. Although it is not unheard of to be controlling things via the cloud, such as security cameras and our routers, through our smartphones, tablets, laptops, etc., this particular UPnP bug is allowing anyone access to devices, and you know what that means—the more nefarious side of the Internet can potentially wreak havoc on anything enabled via UPnP.

Information security company Rapid7 reported on this breach last week, stating that they researched UPnP devices between June and November 2012. Their findings were near astounding, especially in regard to routers, which most of us use to connect to the Internet. 6,900 network-aware products from 1,500 companies at 81 million Internet protocol (IP) addresses responded to their requests. “About 80 percent of those were home routers, and the rest were devices like cameras and printers that should not have been Internet-facing at all,” said lead researcher H.D. Moore. An open router could give an attacker access to its owner’s personal files, and as routers start to increasingly include cloud access, this could mean many important files could be in danger of being stolen.

Some of the drawbacks of UPnP include the lack of user authentication. “The problem is that the UPnP protocol has no built-in security. The goal was to make it easy for devices to discover each other without confusing the user—to get them up and running,” Moore said. “One solution would be for Internet service providers (ISPs) to modify their routers to prevent their subscribers’ UPnP traffic from being accessed.” Rapid7 has developed a program for Windows, which you can download here, to check if your devices are Internet-facing or not. “Their one-click check lets you see if this issue affects you or not, so make use of it,” said Jay Abbott of Advanced Security Consulting in Peterborough, UK.

Will there be a permanent fix to this loophole? Boldizsár Bencsáth at the CrySys Lab in Budapest, Hungary, thinks only time will cure the problem, perhaps as ISPs gradually issue broadband routers secured against UPnP data extraction. “People do not really care to fix vulnerabilities unless it does something like slow down Internet access. So I think a lot of vulnerable UPnP devices will remain on the Internet for a long time,” he said.