Q&A with author of new UPnP–Flash router attack

I wrote a story today about how attackers could take advantage of the way flash and Universal Plug and Play work to launch a man-in-the-middle attack against the majority of home routers, which are UPnP enabled.

It’s an interesting, but pretty complicated attack, so I asked Petko Petkov — one of the researchers who first reported it  — to answer a couple of follow-up questions on his work (he has posted a FAQ on the subject here) . Here’s what he said.

Q – For this to work, would an attack have to target specific routers?

Petko Petkov – Yes, although the attacker can include exploit for several router models and try them all. one of them may succeed

Q – Routers are interesting because of the MITM attack, but  do you expect to see attacks on printers, digital home centers, etc?

Petkov – Yes. With the time these devices will become more prevalent in our homes. If vendors keep shipping them with UPnP turned on, attacker will start exploiting the given opportunities. Who knows, one day you might be able to control your TV via this protocol. If it is not happening already.

Q – I’m still really unclear on how this cross-industry issue could be fixed? Why couldn’t Adobe just change Flash to not allow this?

Petkov – It is not a Flash problem. Flash still complies to the Same Origin Policies which are the security settings enforced by all browsers. On the other hand, Flash makes the exploitation process trivial since it allows the attacker to specify their own HTTP headers and XML request body.

Q – So what do you see as the fix? Just not enabling upnp on devices by default? That seems like a hardship for users.

Petkov – There are two things that could happen. Either users and vendors take UPnP more seriously, or Adobe block the SOAPAction header which is crucial for the exploit to work. Both methods have advantages and disadvantages. Although the second seems to be easier, keep in mind that having UPnP enabled is a risk on its own and it just ask for trouble. The same attack can be performed in combination with DNS rebinding attacks.