Millions Of Networked Devices In Harm's Way

Unplug Universal Plug And Play (UPnP) to protect routers, storage devices, media players from getting hacked over the Internet, Rapid7 says
Rapid7 took data from scans it performed between June and November of last year, sending UPnP discovery requests to each and every routable IPv4 address about once a week. They found that 17 million of the UPnP devices that responded also exposed the so-called UPnP Simple Object Access Protocol (SOAP) service to the Net, which

The vulnerability management firm also released a free tool today that lets users scan for exposed UPnP devices and for those that are vulnerable to the attacks identified by Rapid7. The ScanNow UPnP tool is availablehere for download.

[Researchers and attackers catalog vulnerable systems connected to the Internet, from videoconferencing systems set to auto-answer, to open point-of-sale servers, to poorly configured database systems. See Global Scans Reveal Internet's Insecurities In 2012.]

"UPnP was intended for home use only, so hopefully most organizations won't have too many devices which support UPnP out of the box. Running a scan to be certain would be a wise move, though," Secunia's Kristensen says.

What's most disturbing, he says, is that UPnP should not be Internet-facing at all. "The risk would have been very limited if only the vendors had applied basic best practices and ensured that UPnP and similar protocols only are available in internal networks," he says.

Rapid7's Security Flaws in the Universal Plug and Play white paper is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.