Exploiting Universal Plug-n-Play protocol, insecure security cameras & network printers

A plethora of vulnerable devices due to the flaws in the Universal Plug and Play protocol put around 50 million at risk; somewhere in the neighborhood of about 58,000 security camera systems are vulnerable to hacking, and exploiting network printers top the list today for potential security mayhem.

About “58,000 security camera systems are critically vulnerable to attackers.” A post highlighting DVR insecurity started with SomeLuser from Console Cowboys, the same person who discovered a gaping hole in TRENDnet IP cameras a year ago, many of which are still unpatched and provide a Peeping Tom paradise. This time around, after SomeLuser went through all the technical details of using the security hole to gain access to the Ray Sharp DVR’s configuration, and grabbing the credentials stored in clear text, it was “strike three” which provoked “get this weak sh*t off my network.” SomeLuser pointed to the exploit scripts and summed it up with, “A whole slew of security DVR devices are vulnerable to an unauthenticated login disclosure and unauthenticated command injection.”

The Metasploit team not only confirmed the security flaws in the Ray Sharp DVR platform, but also identified 18 more companies with nasty bugs in their code: Swann, Lorex, URMET, KGuard, Defender, DSP Cop, SVAT, Zmodo, BCS, Bolide, EyeForce, Atlantis, Protectron, Greatek, Soyo, Hi-View, Cosmos, and J2000. The DVR’s are often used for CCTV systems and security cameras, explained the Metasploit blog. Basically the vulnerabilities allow “remote unauthorized access to security camera recording systems” would could allow an attacker to “watch, copy, delete or alter video streams at will, as well as to use the machines as jumping-off points to access other computers behind a company’s firewall.” Moore also told Forbes “The DVR gives you access to all their video, current and archived. You could look at videos, pause and play, or just turn off the cameras and rob the store.”

HD Moore wrote, “The Ray Sharp DVR platform supports the Universal Plug and Play (UPnP) protocol and automatically exposes the device to the internet if a UPnP-compatible router is responsible for network address translation (NAT) on the network.” And that leads us to Rapid7’s next big bombshell, three groups of security flaws that highlight the reasons why you should now unplug Universal Plug and Play.”

Unplug Universal Plug and Play (UPnP) protocol

Rapid7 released a whitepaper “Security Flaws in Universal Plug and Play” that explains “around 40-50 million network-enabled devices are at risk due to vulnerabilities found in the Universal Plug and Play (UPnP) protocol. UPnP enables devices such as routers, printers, network-attached storage (NAS), media players and smart TVs to communicate with each other. The paper investigates how three groups of security flaws relating to the UPnP protocol are exposing millions of users to attacks that could lead to a remote compromise of the vulnerable device.”

Moore warned:

We strongly suggest that end users, companies, and ISPs take immediate action to identify and disable any internet-exposed UPnP endpoints in their environments. UPnP is pervasive – it is enabled by default on many home gateways, nearly all network printers, and devices ranging from IP cameras to network storage servers.

“US-CERT released a UPnP Security Advisory,” noted Computerworld as well as:

According to the CERT Program of the Carnegie Mellon University (CMU) Software Engineering Institute, solutions include: Apply an Update — libupnp 1.6.18 has been released to address these vulnerabilities. Restrict Access — Deploy firewall rules to block untrusted hosts from being able to access port 1900/udp. Disable UPnP — Consider disabling UPnP on the device if it is not absolutely necessary.

Rapid7 published three lists of products vulnerable to Portable UPnP SDK flaws, MiniUPnP flaws, and which expose the UPnP SOAP service to the Internet. Additionally, Rapid7 provided “ScanNow UPnP, a free tool that can identify exposed UPnP endpoints in your network and flag which of those may remotely exploitable through recently discovered vulnerabilities.” It only supports Windows currently, but Mac OS X and Linux users can use a new module for the Metasploit pen testing framework to detect vulnerable UPnP services running inside a network.

Exploiting Network Printers

With a little help from Google search, Adam Howard, aka @skattyadz, warned there are “about 86,800 results for publically accessible HP printers.” He added, “There’s something interesting about being able to print to a random location around the world,” before advising that you should “lock down your printer.” On the Sophos security blog Naked Security, Paul Ducklin added, “Printing other people’s viral garbage wasn’t just a security risk, it cost real money in wasted paper and toner.”

We’ve all heard the potential printer hacking horror stories, but according to viaForensics, attackers may find a way to hurt you by hacking your printer. “Today, most printers on the market make use of JetDirect technology. Designed by HP, it allows these devices to easily attach directly to a local area network, allowing the printer to be visible and accessible to other devices and/or users connected to the same network segment.” Researcher Sebastián Guerrero then listed why a printer might be attacked and four vulnerabilities: Bypassing authentication processes, assigning work to system users, generating denial of service, and he even bricked a “TouchSmart” printer.

The “magnitude of the issue” becomes “strikingly clear,” viaForensics suggested, “when we consider the long list of manufacturers whose printers may have security vulnerabilities – Canon, Fujitsu, HP, Konica Minolta, Lexmark, Xerox, Sharp, Kyocera Mita, Kodak, Brother, Samsung, Toshiba, Ricoh, Lanier, Gestetner, Infotek, OCE, OKI  – and look at the number of units they’ve sold in recent years.”

Happy Hump day, hopefully now you don’t have a headache after hearing about the latest ways you could possibly be hacked.

Like this? Here’s more posts:

• Shaming America in Europe, US Gov’t argues against better privacy protections for citizens
• DARPA’s unblinking, all-seeing 1.8-gigapixel camera stare on PBS Rise of the Drones
• Testing The Privacy Company Mega: 50GB free storage, 2048-bit encrypted protection
• Bugged guesthouse: Eric Schmidt’s daughter reveals North Korea trip details
• Data Privacy Day 2013: Microsoft releases privacy trends study and video series
• Oracle releases emergency Java patch; experts warn flaws may take 2 years to fix
• Open letter to Microsoft calls for Skype transparency reports
• 20 Seconds to jailbreak Windows RT
• National Cyber Security Alliance panel of privacy chiefs kicked off Data Privacy Day
• Unpatched TRENDnet IP cameras still provide a real-time Peeping Tom paradise
• Meet Red October, the latest cyber-spy malware for digital espionage

Follow me on Twitter @PrivacyFanatic