UPnP vulnerabilities

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Summary

This article is about how UPnP works and what vulnerabilities it has, especially highlightening callstranger and flash attack.

UPnP

The Universal Plug and Play (UPnP) Device Architecture, formerly known as the DCP Framework, provides a comprehensive set of protocols for seamless communication between controllers, known as control points, and devices within a networked environment. These protocols include essential functions such as device discovery, description, control, event notification, and presentation. UPnP is a protocol stack of known protocols, which is managed since 2016 by the Open Connectivity Forum, in order to automatically offer services in the network without configuration by the user. These services can range from editing port mappings on a router to switching a heater on/off. In order for a device to be a complete UPnP device it must go through a number of steps.[1]

UPnP Protocol Stack.png[2]

  1. Addressing
    As soon as a device is connected to the network, it searches for a DHCP server for an IP address; if none is found, it assigns itself one by means of Auto-IP.

  2. Discovery
    After an address has been obtained, the device must announce its presence to the network. This is done via a advertisement, which uses HTTPMU on the address 239.255.255.250:1900, with the method NOTIFY, setting the NTS header field to ssdp:alive. In addition, devices can also search specifically for devices or services by means of a discovery request, using the method M-SEARCH. A device responds to a discovery request with an HTTP 200 message.

  3. Description
    In the Discovery Response is a Location header field that contains the URL of the UPnP Device Description, which contains merchant-specific information and a list of all services and their service description URLs. The Service Description describes the actions offered by the device, its arguments, status variables and event characteristics. Documents must conform to the UPnP template language, an XML syntax defined by the UPnP Forum.

  4. Control
    A control point can use the services of a UPnP device by invoking the actions with their arguments via a action invocation. This is done using SOAP, which transmits an XML SOAP envelope via a HTTP POST, which contains the action and its arguments.

  5. Eventing
    UPnP uses an asynchronous publisher/subscriber model to communicate changes of status variables to control points. For this purpose GENA is used, which, like SOAP, uses HTTP and XML as underlying technologies.

  6. Presentation
    This is an optional step that a vendor can implement so that the device can be controlled and managed via a web interface.

Security in UPnP

There are many known vulnerabilities and security risks when talking about the UPnP Standard. On the Common Vulnerability and Exposure (CVE) website 130 different known vulnerabilities with the keyword ̈UPnPcan be found. Also, some known state institutions, like the FBI have publicly recommended to disable UPnP in general. The reason, according to the FBI Webpage, is that there are UPnP exploits which allow access to different IoT devices. Not only these known vulnerabilities make security such an important issue when talking about UPnP. The standard has also some general vulnerabilities by design. In some steps in UPnP networking there is no verification, integrity check or access control. There are also some UPnP SDKs which can be exploited. In genereal security and authentication is not provided by default under UPnP. For this reason UPnP devices should not be publicly connected to the Internet or otherwise be outside the local network. However, as an add-on service, there is also a certain level of security and authentication under UPnP, namely with the Device Protection Profile and with the security mechanism of the two profiles: Device Security and Security Console. These offer Security through role management and authentication.

UPnP Security Risks and Common Attack Types

UPnP, while streamlining device connectivity, harbors inherent security risks. A key concern is the lack of service verification, enabling any network participant to advertise or utilize services without proper validation. This vulnerability opens the door to service misrepresentation, potentially leading to unauthorized network access or device manipulation.

Another significant risk is the absence of access control for action invocations. Devices within UPnP networks can invoke actions without proper authentication, leading to unauthorized control over network services. This vulnerability is particularly concerning given UPnP's widespread use in various devices.

The are specific attack types exploiting UPnP vulnerabilities:

  • Forged Advertisements: Attackers can send fake service advertisements, misleading other network devices.
  • Fake Discovery Messages: Malicious entities can generate deceptive discovery messages, potentially leading to unauthorized network access.
  • Denial of Service (DoS) Attacks: UPnP's openness can be abused to overload networks or devices, disrupting their normal operations.
  • Reflection and Amplification Attacks: Exploiting UPnP's discovery and response mechanism, attackers can amplify traffic, impacting broader network infrastructure.
  • Control Mechanism Exploits: Due to the lack of robust security in control protocols, attackers can manipulate network services or devices.

These vulnerabilities underscore the critical need for enhanced security measures in UPnP implementations, ensuring safer network environments.

CallStranger Attack

CVE-2020-12695 is a vulnerability in the UPnP 1.1 architecture, specifically affecting the callback header in the SUBSCRIBE function. This header is used to send event messages to a specific location. According to the UPnP definition, several URLs can be specified. which are systematically tried until one is accepted. Thanks to this security overview, an attacker can:

  • exfiltrate data
  • launch denial of service attacks
  • scan internal ports

However, only devices whose UPnP subscriber function is externally accessible and not those that are only reachable in a local network. This vulnerability no longer exists in UPnP 2.0, since the callback header only accepts private IP addresses.

Upnp callstranger.jpg[3]

UPnP Flash Attack

Adobe Flash can load external data using the URLRequest method. This attack makes use of this method by using it to perform UPnP discovery requests or action invocations on the local network of the victim who has executed this Flash program. In principle, an attacker could use this vector for all UPnP operations. An example would be adding a port mapping to an external IP to an Internet gateway device to give a malicious actor access to the local network.

Adobe Flash's URLRequest method can be exploited in UPnP environments, leading to Flash attacks. These attacks are further exacerbated by Cross-Site Request Forgery (CSRF) vulnerabilities. CSRF exploits can trick a user's browser into executing unwanted actions in a different website where they're logged in. In the context of UPnP, this could lead to unauthorized network changes or device manipulations without the user's knowledge, making CSRF a significant threat in conjunction with Flash-based UPnP attacks.[4]

CSRF-Attack.png[5]

Mirai Botnet

A real-world example of a large-scale UPnP attack is the Mirai Botnet which was discovered in 2018. In this attack hundreds of thousands of routers over the internet where scanned and the attack software was searching for exposed Telnet ports which were added by UPnP. The Attackers BruteForced the default passwords of the devices and added these to the botnet. The botnet was then used to start large-scale DDoS attacks which shut down some target servers. A depiction of a simplified DDoS Attack with the Mirai Botnet can be seen in the picture below.

Mirai-botnet-diagram.png[6]

Enhancing UPnP Security

In light of these risks, it is imperative to adopt improved security practices in UPnP networks. Developers and network administrators are encouraged to implement rigorous validation and authentication mechanisms. Regular firmware updates, disabling UPnP features when not needed, and isolating critical devices on separate network segments are recommended strategies to mitigate these vulnerabilities.

Port Forwarding Alternatives

Besides UPnP, there are other protocols for managing network ports, like NAT-PMP and PCP.

NAT-Port Mapping Protocol (NAT-PMP)

Developed by Apple, NAT-PMP is used on Apple devices and some routers. The NAT Port Mapping Protocol empowers client hosts to request the creation of inbound mappings, providing them with enhanced connectivity similar to devices connected directly to the open public Internet, thereby facilitating their accessibility to peers on the web. The client sends a request to the NAT device to create a port mapping, and the NAT device responds with the external IP address and port that can be used to access the internal device or service from the Internet. NAT-PMP is primarily used for peer-to-peer applications and online gaming on Apple devices and uses UDP messages to communicate between the client device and the NAT device. It simplifies the process of setting up port forwarding by automating the configuration on the NAT device.[7]

Port Control Protocol (PCP)

The IETF-standardized PCP is a versatile protocol supporting dynamic port allocation and management of multiple external IP addresses. It's a general-purpose protocol for various applications requiring port mapping and NAT traversal.PCP allows applications to establish mappings from external IP addresses, protocols, and ports to internal counterparts, which are essential for successful inbound communications to devices behind NAT or firewalls. Eventhough PCP creates these mappings, it doesn’t handle the communication of IP addresses, protocols, and ports to remote computers, which remains application-specific. PCP also assists in reducing the need for frequent NAT keepalive messages sent by many NAT-friendly applications, helping to conserve bandwidth, server traffic, and battery usage on mobile devices. Lastly, PCP discourages the use of Application Layer Gateways (ALGs) within NATs by allowing applications to create their own mappings, thereby facilitating protocol evolution.[8]

Courses

References

[2] [3] [6]