Tech News UPnP router vulnerability...

little_pob

little_pob

VIP Member
VIP Member
Joined
Dec 10, 2004
Messages
8,769
Reaction score
2,480
Location
mmm....padded walls....so soft...
For the non-tech minded click this link and follow the on screen instructions: Universal Plug and Play Check by Rapid7

Some background:
The Department of Homeland security, in conjunction with Rapid7, has issued another warning (Vulnerability Note VU#922681) that everyone using the Internet needs to be aware of.

The last warning that broke out of nerdville into the mainstream media involved Java. In that case, simply viewing a web page could result in a computer being infected with a virus. This warning is arguably worse, because the victim doesn't need to do anything.

Even if all your computers and tablets are turned off, a bad guy may now be able to get into your router and re-configure it or crash it. Re-configuring can allow the bad guys into your Local Area Network (LAN) or, it can prevent machines on the inside from getting out to the Internet.

The problem lies with a networking communication protocol called Universal Plug and Play (UPnP). UPnP was designed for internal use only. That is, it was only meant to be used inside a LAN.

UPnP was never intended to be used on the Internet. It has no security, not even passwords. Yet, CERT and Daniel Garcia warned, back in 2011, that a number of devices were mis-configured and talking UPnP over the Internet. It's as if a surgeon operated on the wrong leg.

Now, we have a report from Rapid7 documenting a large number of bugs in the UPnP coding. No doubt, some of these UPnP bugs exist in LAN-resident devices (printers, Network Attached Storage, game consoles) but, no big woop, since they can't be exploited by a bad guy halfway around the world.

The real danger comes from routers and broadband modems that can be accessed over the Internet. Rapid7 spent months scanning the entire Internet multiple times.

They found over 80 million computing devices respond to UPnP queries over the Internet. There should be none...

[continues]
Click to expand...
 
Last edited:
All safe here ;)

sent using my telepathic powers
 
Perhaps I should put it in context, there's nearly 2.5bn people on the internet. That means 32 out of 1000 people might be effected.

Still, 80 million potential victims is probably enough incentive for a scammer to attempt something...
 
hi, i gave it a try and got the green tick with, Congratulations! Your router did not respond to a UPnP discovery request.
 
Congratulations! Your router did not respond to a UPnP discovery request.

:)
 
If i remember correctly, this problem was identified and warned about, on the PS3 some years ago.
perhaps the closed nature of PSN made the machines more prone to the problem.

when you think of PNP, in security terms, its not too bright to add the protocol to an unsecured network anyway.
 
It should have been called "plug and pray" or "plug and prey" lol, depending on which side of the fence your on..! (sorry humor is bad the night) :)

I'd read about this, good post pob mate.
 
Last edited:
You must log in or register to reply here.

Similar threads

alimac
    • Like
Windows 11 24H2 LTSC images leak ahead of official announcement
Replies
0
Views
116
alimac
alimac
rawsy
    • Like
ISP Cityfibre Vodafone
Replies
1
Views
212
rawsy
rawsy
O
Power supply for LED table lamp
Replies
10
Views
370
Oggiman
O
alimac
    • Like
Tor launches WebTunnel Bridge
Replies
0
Views
156
alimac
alimac
O
    • Like
BT and Sky users may finally get ‘turbo-charged’ broadband boost - check your postcode
Replies
3
Views
358
leemoo
L
Back
Top