The Department of Homeland security, in conjunction with Rapid7, has issued another warning (Vulnerability Note VU#922681) that everyone using the Internet needs to be aware of.
The last warning that broke out of nerdville into the mainstream media involved Java. In that case, simply viewing a web page could result in a computer being infected with a virus. This warning is arguably worse, because the victim doesn’t need to do anything.
Even if all your computers and tablets are turned off, a bad guy may now be able to get into your router and re-configure it or crash it. Re-configuring can allow the bad guys into your Local Area Network (LAN) or, it can prevent machines on the inside from getting out to the Internet.
The problem lies with a networking communication protocol called Universal Plug and Play (UPnP). UPnP was designed for internal use only. That is, it was only meant to be used inside a LAN.
UPnP was never intended to be used on the Internet. It has no security, not even passwords. Yet, CERT and Daniel Garcia warned, back in 2011, that a number of devices were mis-configured and talking UPnP over the Internet. It’s as if a surgeon operated on the wrong leg.
Now, we have a report from Rapid7 documenting a large number of bugs in the UPnP coding. No doubt, some of these UPnP bugs exist in LAN-resident devices (printers, Network Attached Storage, game consoles) but, no big woop, since they can’t be exploited by a bad guy halfway around the world.
The real danger comes from routers and broadband modems that can be accessed over the Internet. Rapid7 spent months scanning the entire Internet multiple times.
They found over 80 million computing devices respond to UPnP queries over the Internet. There should be none.
The only good news, seems to be that all of those devices are not buggy.Rapid7 reports that “around 40-50 million network-enabled devices are at risk due to vulnerabilities found in the Universal Plug and Play (UPnP) protocol.” Take a deep breath and read that last sentence again. Forty to Fifty million vulnerable buggy devices are remotely exploitable.
This state of affairs is worthy of Lex Luthor or a James Bond villian. But it’s real.
TEST YOUR ROUTER
At first, Rapid7 made available a Windows program, ScanNow, designed to run inside a LAN and detect UPnP enabled. devices. Now, they offer something better.
To test if your router exposes a vulnerably buggy implementation of UPnP on the Internet, go to the Rapid7 UPnP Check. The intial page is shown below.
Click on the orange “Scan My Router” button.
Good results are shown below.
A sample bad result is provided by Rapid7 here.
If you get a bad result, you have a big problem. Most routers can be configured to turn off UPnP, but some Asus routers, however, do not let you disable it.
For more see this FAQ from Rapid7.
This is, to be blunt, a disgrace for the software industry.
UPDATE: Just hours after this was published, Steve Gibson released a new online tester page for UPnP. It’s part of his long established ShieldsUP! service and, from what I can tell, does basically the same thing as the Rapid7 UPnP Check described above.
You can’t be too safe here, I suggest running both testers.
Gibson describes both the service and the situation with (emphasis mine):
This Internet probe sends up to ten (10) UPnP Simple Service Discovery Protocol (SSDP) M-SEARCH UDP packets, one every half-second … in an attempt to solicit a response from any publicly exposed and listening UPnP SSDP service. The UPnP protocols were never designed to be exposed to the public Internet, and any Internet-facing equipment which does so should be considered defective, insecure, and unusable. Any such equipment should be disconnected immediately.
To use the service, go to ShieldsUP!. On the first page, click on the gray Proceed button. On the next page, click on the yellow/orange button for GRC’s Instant UPnP Exposure Test. If all goes well, you should see something like that below.
UPDATE AGAIN (Jan. 31, 2013 11:46PM ET): Just after releasing his online tester, Gibson modified it to include samples of the three possible outcomes. Way to go Steve.
In the best case, you get the DID NOT RESPOND result shown above. In the worst case, your router does respond , (see a sample of what this looks like). A rejected response is somewhere in the middle. As a Defensive Computing kind of guy, I would not sleep well if my router rejected Gibson’s probes. But, reasonable people may disagree.
Yet another UPDATE (Feb. 1, 2013 1PM ET): On the January 30th episodeof his Security Now podcast, Steve Gibson explained why ordinary port scanners can not detect the presence of UPnP over the Internet. For one thing, UPnP starts out using UDP which may not be supported in all scanners. Gibson’s own ShieldsUP!, for example, normally restricts itself to TCP. Even more to the point, we need to test if the router responds to an initial UPnP query, rather than simply if it responds to any knock on the door. And, we need to check that it responds with a valid UPnP response.
The two online UPnP scanners described here do just that.
It’s very likely that Rapd7’s ScanNow program can also be pointed to a public IP address to run the same tests. I verified that it runs on public IP addresses, however, without knowing a publicly vulnerable device, I can’t verify that all the tests work.