Device makers blamed for consumer risk from UPnP flaws

Manufacturers are being blamed for the security risks customers face from major flaws in the implementation of the UPnP standard that leaves tens of millions of network-enabled devices open to cyberattacks.

Security vendor Rapid7, which released a white paper on the vulnerabilities on Tuesday, says manufacturers do a miserable job at releasing timely firmware updates to fix security problems. Manufacturers whose products are affected by the UPnP vulnerabilities include Cisco-owned Linksys, Netgear, Belkin and D-Link.

“You have to keep in mind their business model. These are companies that make their money by every six months based on shipping their next round of devices,” said HD Moore, chief security officer for Rapid7. “After two or three years from the first time they launched the device, it’s really not worth the time or effort to maintain firmware updates for it.”

Netgear declined to comment, while Belkin and D-Link did not respond to emails. Linksys said it was aware of the problem and advised customers to go to its website to find out whether their home router was affected and to learn hot to disable UPnP.

UPnP is a set of networking protocols that permits many consumer electronics to discover each other on a network. At that point, the devices can establish network services for data sharing, communication, media streaming and media playback control.

The protocols are designed for use in closed home networks. However, a misconfiguration of the UPnP protocol exposed many wireless routers, printers, media servers, IP cameras and smart TVs to cyberattacks, Rapid7 said.

A scan of the Internet from June to November last year found more than 80 million devices that responded to UPnP discovery requests, Rapid7 said. Tens of millions of the devices were susceptible to cyberattack as a result of any one of several vulnerabilities.

[In depth: Seven dealy sins of home office security]

In general, device manufacturers change hardware in products whenever they find cheaper components. At the same time, they only support product configurations that they are currently shipping, Moore said. As a result, products seldom get maintenance support for longer than one or two years, leaving it up to users to search for firmware updates, if they are even available.

“For the most part, once the device has been out there for a year or two, the vendor stops maintaining it, with some exception for devices that are more popular than others,” Moore said. “I was talking to a vendor yesterday that said, ‘If we’re not shipping it; we’re not supporting it.'”

The UPnP problem affects primarily consumers and small businesses, which are the primary buyers of the products. One way to prevent exposure to attackers is to find the configuration tools that ship with the device and manually disable UPnP.

A more comprehensive solution would be to have Internet service providers block the port used by UPnP to discover devices over the Internet. However, ISPs are unlikely to take such a step without pressure from customers.

On Tuesday, the U.S. Computer Emergency Readiness Team, part of the Department of Homeland Security, advised consumers and businesses to disable UPnP.

Device manufacturers have been criticized before for failing to quickly patch vulnerabilities. Makers of Android tablets and smartphones are notoriously slow at distributing updates of the Google mobile platform. As a result, Android has become a primary target for mobile malware.