View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 30, 2013

Security experts warn of Universal Plug and Play security flaws

About 40 million to 50 million devices were found vulnerable over three separate issues with the UPnP standard.

By CBR Staff Writer

The US Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT) along with IT security firm Rapid7, have advised users to disable the UPnP feature that allows operating devices and printers through the internet.

According to researchers from the security firm, several buffer overflow vulnerabilities have been exposed in libupnp, which is the open source portable SDK for UPnP that may allow hackers to gain access to millions of vulnerable devices.

Rapid7 also reported that there were about 40 million to 50 million devices vulnerable over three separate issues with the UPnP standard.

The two most frequently used UPnP software libraries both comprised remotely exploitable vulnerabilities. In Portable UPnP SDK, about 23 million IPs have been found to be exposed to remote code execution via a single UDP packet.

Rapid7security researcher HD Moore said that the firm was able to identify over 6,900 product versions that were vulnerable through UPnP.

"This list encompasses over 1,500 vendors and only took into account devices that exposed the UPnP SOAP service to the internet, a serious vulnerability in of itself," Moore said.

The flaws could also enable attackers to access secret files, steal passwords, acquire full control over PCs and remotely access devices including webcams, printers and security systems.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The list of devices vulnerable to attackers include products manufactured by Belkin, D-Link, Cisco Systems’ Linksys division and Netgear.

Linksys said in a statement: "We recommend Linksys customers visit our website to understand if their home router is affected, and learn how to disable UPnP through the user interface to avoid being impacted."

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.