IoT and UPnP: A Dangerous Combination

IoT and UPnP: A Dangerous Combination

Over the past 15 years, Internet of Thing (IoT) devices have radically changed the IT world, introducing many benefits along with some tricky downsides. For example, while vulnerabilities found within IoT devices have been common knowledge since 2006, the rapid development of this technology has left little time for security protocols to guide the safety of businesses who use them. These dangers are compounded when IoT devices are allowed to make network changes on Universal Plug-and-play (UPnP) routers/firewalls on the network—a setting that is often enabled by default on home routers/firewalls. 

Unfortunately, little has been done to increase security concerning UPnP exploits of IoT devices. Manufacturers are still shipping out routers with security bugs that allow attackers to obtain remote control over firewalls and root exploits, and there’s the never-ending problem of new exploits popping up all the time.

So why are IoT devices prone to these attacks? They often use a component called UPnP that when exploited, can turn a local attack on your business network into something much more dangerous.

 

UPnP

To help users easily set up new connections, IoT devices such as network printers, home media players and Smart TVs use a component called UPnP. If the network is behind a UPnP router, the IoT devices can request the router open ports and allow certain traffic through to them. Often, UPnP eliminates the hassle of configuring devices upon first connection and adds an element of quick information sharing.

Unfortunately, researchers at Rapid7 have uncovered serious security flaws with UPnP. If a computer on your network or an IoT device is exploited, these flaws in UPnP can give a hacker remote control of webcams, printers and security systems, allowing them to steal passwords and access any other devices connected to your network. More so, once compromised, your device can be used as part of a botnet to issue distributed denial of service (DDoS) campaigns to take down websites, hide a hacker’s location or give a them a starting point for other, more mischievous attacks.

Some of the biggest cyber-attacks to date have leveraged internet-based hardware to launch massive (DDoS) attacks. Due to the seamless connectivity of IoT devices using UPnP, they’re ideal for hackers who need to accumulate devices to overwhelm a business network. According to Open Resolver Project, there are currently more than 28 million Internet-connected devices that attackers can abuse for an anonymous attack.

To check if your network has been compromised via IoT vulnerabilities, Rapid7 created a tool to help.

Important note: While business-grade firewalls don’t employ UPnP, Switchfast standard protocol recommends disabling UPnP on all personally linked firewalls, a stance echoed by US-CERT last year.

 

Point of Attack

Cloud service provider Akamai found evidence that attackers are actively exploiting UPnP weaknesses as a jumping off point for larger attacks like DDoS, malware distribution, phishing attacks and credit card theft. Akamai found that 4.1 million internet-facing UPnP devices were potentially vulnerable to being employed in a reflection DDoS attack. That number accounts for about 38% of the 11 million devices in use around the world, which serves as a large pool for cyber criminals to leverage what would otherwise be small, local attacks into massive threats.

Primarily, hackers are exploiting UPnP weaknesses in home routers to reroute your business traffic repeatedly until it’s untraceable. Since the technology sector has been aware of these weaknesses for some time, hackers are capitalizing on the collective amnesia the industry appears to be suffering in the wake of these massive vulnerabilities.

 

Downtick in UPnP

Due to the complicated nature of UPnP attacks, detection is very difficult for end-users. When you have a vulnerable device, there is little you can do to defend yourself from an attack — short of getting a new one. If you have an IoT-enabled device or home router which allows you to disable UPnP, do so, but be sure to test for any functionality issues that arise.

UPnP-enabled devices are usually safe as long as your router/firewall does not have open inbound ports to these devices. The problem is that many routers include vulnerable implementations of UPnP which provide hackers an easy way to get around your protective measures. The main message here is you need to ensure that your router is locked down and secure. If your router supports UPnP, you can find options to disable it through its web interface. 

In their 2014 study, Akamai said they were willing to share the list of potentially exploitable devices to members of the security community in an effort to collaborate with cleanup and mitigation efforts of this threat. That’s the sort of response we need because there are new DDoS-for-hire services coming online every day and tens of millions of misconfigured or ill-configured devices out there that can be abused to launch such devastating attacks.

While the threat may be invisible, a compromised device is a ticking time bomb for business networks. In today’s fluid work culture where employees are bringing connected devices to and from their office, there’s simply no room for error when it comes to your cybersecurity.

If you’re worried your business network hasn’t been optimized for security, Switchfast provides free security audits to help assess your network.