Not exactly some environmental news, however I thought it was interesting and worth sharing.
Almost all or maybe even all router manufacturers of routers that provide this UPnP functionality use a open source library called libupnp in their router software. However, in early 2013 this library was found to have some defects. Moreover, this library is also used in several vendor network devices, in addition to media streaming and file sharing applications or digital DVRs – so basically in any network connected device, even a lot of printers.
Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other’s presence on the network and establish functional network services for data sharing, communications, and entertainment. UPnP is intended primarily for residential networks without enterprise-class devices.
In January 2013 the security company Rapid7 in Boston reported on a six-month research programme. A team scanned for signals from UPnP-enabled devices announcing their availability for internet connection. Some 6900 network-aware products from 1500 companies at 81 million IP-addresses responded to their requests. 80% of the devices are home routers, others include printers, webcams and surveillance cameras. Using the UPnP-protocol, many of those devices can be accessed and/or manipulated.
In February 2013, the UPnP forum responded in a press release by recommending to use more recent versions of the used UPnP stacks, and by improving the certification program to include checks to avoid further such issues.
|Apply an Update
libupnp 1.6.18 has been released to address these vulnerabilities.
Deploy firewall rules to block untrusted hosts from being able to access port 1900/udp.
Consider disabling UPnP on the device if it is not absolutely necessary.