UPnP — in a perfect world it would have been the answer to many connectivity headaches as we add more devices to our home networks. But in practice it the cause of a lot of headaches when it comes to keeping those networks secure.

It’s likely that many Hackaday readers provide some form of technical support to relatives or friends. We’ll help sort out Mom’s desktop and email gripes, and we’ll set up her new router and lock it down as best we can to minimise the chance of the bad guys causing her problems. Probably one of the first things we’ll have all done is something that’s old news in our community; to ensure that a notorious vulnerability exposed to the outside world is plugged, we disable UPnP on whatever cable modem or ADSL router her provider supplied.

YouTube Shenanigans

Turning off the enabled-by-default UPnP in an older BT HomeHub pulled from the surplus router pile.
Turning off the enabled-by-default UPnP in an older BT HomeHub pulled from the surplus router pile.

You would think that with an inglorious history of UPnP exploits the days of routers automatically having it enabled would be behind us, but we’ve had a reminder from an unexpected source that this may not be the case. YouTube stars PewDiePie (controversial Swedish game reviewer and comedian) and T-Series (Indian record label) are duking it out for the coveted crown of most annoying most subscribers.  Fans of the Swede have it seems turned to nefarious tactics, first spamming the world’s exposed network printers, and most recently playing his videos on countless connected media players and televisions. It’s here that we meet once more our old friend UPnP, because in the most widely publicised of these attacks it is used by the miscreants as a vulnerability through which they can access Google’s Chromecast players.

Peeling Away the So-Called Hack

The media are of course reporting it as the work of elite hackers, no doubt wearing hoodies and dark glasses while feverishly banging out code on a green screen monitor. The truth is a little less glamorous and lies in a fortuitous confluence of wide open doors, owing more to simply taking up an opportunity gifted to them than it does to any notion of 1337 5k1lz. To unpick it we need to stand back and take a look at the protocols involved.

We know what hackers look like because the BBC had some on the telly just before Christmas!
We know what hackers look like because the BBC had some on the telly just before Christmas!

Universal Plug And Play is a protocol designed to ensure that networked devices for the home automatically discover each other and Just Work. Its intent is to free a non-technical home user from manual network configuration, and it does so by allowing devices to announce themselves with a standard XML device description containing information on their capabilities and the URLs required to access them. By its very nature it is a wide-open protocol with little in the way of security, instead it relies upon being connected to private home networks.

Many routers have historically enabled UPnP access to the Internet by default, meaning both that vulnerabilities within it can be exploited, and that devices with poor security can use it to request open ports to the outside world. The solution comes in turning off UPnP access in the router as we mentioned above, but sadly even this step is beyond most home users. Regular Hackaday readers will recall our reporting upon this topic before, the last time it made the more general news services.

Sure, Anyone Can Use My TV!

The BishopFox RickMote automated Chromecast hijacker from 2014. (GPL3.0)
The BishopFox RickMote automated Chromecast hijacker from 2014. (GNU GPL 3.0)

Behind this relatively weak line of defence lies the Chromecast. A convenient way to network your television using your phone or tablet as a client, it owes its ease of use to UPnP and is thus very straightforward to persuade to play a YouTube video for anyone with access to the network on which it sits. There is nothing new in exploiting it, so breathless media descriptions of an uber-hack are misplaced.

Given that so many home routers still have UPnP enabled and that a connected television is no longer the cutting-edge oddity it might have been a few years ago, it’s likely that the PewDiePie videos are but the thin end of the wedge. In the printer story linked above, our colleague Tom Nardi quipped an emerging industry of shady companies offering so-called printer advertising, add invasive advertising on the connected TV space to that undesirable future vision. When this happens we will no doubt see a lot of indignation, but the sad truth is that beyond pressing for as many people as possible to close down UPnP on their routers there is likely to be little that can be done about it.

Manufacturers often do not care about their obsolete products so are unlikely to release firmware updates fixing the problem on affected routers, and even if they did produce such updates there would in most cases be a requirement for them to be installed manually. We’d like to think that currently shipping routers do not have UPnP enabled by default and that a few years of hardware replacement cycles would make the problem disappear, but we have no evidence this is the case and somehow we suspect that might be a little much to hope for. Meanwhile all we can do is make as much noise about it as possible, keep the routers around us up-to-date and as secure as we can, and look smug-as-heck next time the story breaks into the public consciousness.

Header image: First-generation Chromecast, Ericajoy (CC BY-SA 2.0) .

UPnP, Vulnerability As A Feature That Just Won’t Die
Source: HackADay