Attack UPnP - The Useful plug and pwn protocol


Type of lecture: lecture
Language: EN
Held on 2011-06-18 14:20:00 (length: 50 min)
Location: Area 1

Universal Plug and Play protocol (UPnP) can be described as a set of networking protocols that allow a type of seamless discovery and communication between other UPnP devices. Data sharing capabilities are just the beginning of UPnP's remit, in some cases UPnP devices can actually make permanent configuration changes to one and other. The aim is a type of hassle free configuration environment, aiming to give its users that 'just works' feeling, like the plug and play technology of hardware. However hassle free configuration can ultimately mean hassle free hacking.
The talk looks at how an attacker can deploy a series of incredibly simple yet effective attacks against a wide range of UPnP devices such as routers found in many homes today, and why those very routers are ill equipped to defend against them. With one simple command it is possible to open an internal port to an external port without authentication or stamp within the routers access logs. Attacking the very fabric of UPnP's implementation to gain a very real presence on a network.
Early in 2008 researchers from the Information Security Think Tank, GNUCitizen.Org developed a blended attack against British Telecoms Home hub routers. The attack used a flash based XSS attack to change the home hubs DNS settings. However exposing a routers DNS requests to an outside server is a trivial process, especially as no authentication is required. In 2009 the conficker worm also used UPnP to break through NAT and to aid in its propagation, we still see very little in the way of mitigation our countermeasures towards these threats.
Its easy to see why many technologically minded people argue turning this protocol off, however it is not always as simple as it would first appear. Much functionality of very popular devices and applications would be lost, in addition for it not being the most user friendly process to be invented. With concerns about this same technology in the future being used in smart homes the threat can only become bigger.

Arron M Finnon, aka 'finux' is now a full-time student at the University of Abertay Dundee's Ethical Hacking and Countermeasures BSc course, and has been involved with ethical hacking for a little over 4 years. After spending some amount of time as an independent security consultant and researcher, in 2010 finux returned to university to resume his studies. During the past 4 years, finux has produced a number of talks and delivered them throughout the UK, in addition to his passion for podcasting. During his podcasting career he has produced over 40 shows predominately focused on security concepts and its practitioners. In 2009 he was awarded the SICSA Student Open Source Award for his Advocacy of Free and Open Source software.
He now runs a weekly podcast show about technology, and security matters named Finux Tech Weekly, which can be found at

Attached files: All slides in pdf format