Universal Plug n Play: New report on an old problem
In the dark ages of personal computers (1980s and '90s), you either needed to be a computer geek or have access to one if you wanted any device to work with your computer. You had to go through a complicated driver installation process and possibly replace system files. If someone who was used to the process of adding a network card to a system today looked at the process of how to do it in 1989, they would swear that the early computer user was practicing witchcraft. Today, when you plug something into your computer it lets you know that it detected something and can either use the default driver (assuming one exists), or you can choose your own. My how the world has changed.
The technology that allows this type of communication between devices is known as Universal Plug and Play (UPnP). It was designed to allow devices on the same network to communicate with one another without complicating the process. It makes adding devices to a network more convenient, but convenience and security are always diametrically opposed. In other words, unlimited (and poorly patched) UPnP devices are ripe feeding grounds for computer hackers who want into you system.
In a recent report releaded by Rapid 7, an Internet security firm, there are approximately 40-50 million devices exposed to the Internet with a host of UPnP vulnerabilities. The real issue is that UPnP was never designed to be exposed to the Internet and security was never a consideration in its design. On top of that, early versions of it were easy to infiltrate and force the affected devices to run malicious code. Several current devices are still running the vulnerable version of UPnP because their manufacturers did not update the code on their hardware.
Since this blog focuses on the security of retailers, why am I including this report? The simple answer is that if you are running a switch, printer, router or another device that is UPnP enabled, you are potentially exposing your network to computer hackers. If you take credit cards, and have to comply with PCI, then section 6 (which asks about applying security patches), and section 11 (which includes internal vulnerability scans and penetration testing) become much more critical if you have UPnP devices on your network.
The first vulnerability I personally ever read about on UPnP was exposed in 2001; 12 years later, not much has changed on this front. UPnP should not be enabled if you are concerned about security. If you must use it because of how your network is put together or managed, than at least know that you are running the latest versions of the technology that are less vulnerable to attacks. If you are unsure of where you stand, find a modern-day geek (or at least your technology provider) and ask.
Brad Cyprus Bradley K. Cyprus has more than 20 years experience in the security industry. He manages the development of in-house solutions to validate compliance, and he is a resource that Vendor Safe customers can rely upon to help interpret the PCI standard. www