According to a security advisory recently issued by the CERT at the Software Engineering Institute at Carnegie Mellon University, security vulnerabilities in UPnP are exposing millions of home networking devices at risk for cyber attacks. The problem resides in the UPnP that lacks sufficient authentication mechanisms. “Home routers implementing the UPnP protocol do not sufficiently randomize UUIDs in UPnP control URLs, or implement other UPnP security measures.” states the advisory. “Poor adoption of the security standard may broadly open up opportunities for an attacker with private network access to guess the UPnP Control URLs for many devices currently on the market. If the guess is correct, the attacker may utilize UPnP to make changes to the home router’s configuration such as opening ports and enabling services that allow an attacker further access to the network. A correct guess is likely, due to many manufacturers’ use of standardized UPnP Control URL names.”
View full story