That done, start checking for firmware updates for your device. All it takes is one device to be compromised for every system on your network to be endangered. If, for whatever reason you can't turn it off, you must make sure your firewall blocks UPnP traffic. In the case of some devices and services, especially media servers and players, UPnP, with its close relative Digital Living Network Alliance (DLNA), is actually necessary for them to work properly. It's all too possible, especially for consumer black box devices, there won't be any way to turn off. To do this, check the vendor's manual and online support for access to UPnP. Once you find your vulnerable hardware, you can see if it has any way of letting you turn UPnP off. New exploits are popping up, where bugs in Universal Plug and Play are exploited using a buggy Flash plug-in in a web browser, turning a mostly local attack into something a lot more dangerous. A lot of routers are still shipped with grave security bugs, including involuntary onion routing, remote root exploits, and complete remote control over firewalls. As Armijn Hemel, owner of UPnPhacks wrote, "In May 2006 I presented a paper called 'Universal Plug and Play: Dead simple or simply deadly'.In the years following my presentation very little has changed. Major UPnP problems have been showing up since 2001, and they've never stopped showing up.
While the US Computer Emergency Readiness Team (US-CERT) specifically talks about devices that use versions of libupnp, the open-source portable software development kit (SDK) for UPnP earlier than 1.6.18, UPnP has been, is now, and will always be a security nightmare of a protocol.
Homeland Security: Disable UPnP as tens of millions at risk Millions of PCs exposed through network bugs, security researchers find
0 kommentar(er)
