Unplug Universal Plug And Play: Security Warning

[InfoSec News <alerts () infosecnews org>]

http://www.informationweek.com/security/vulnerabilities/unplug-universal-plug-and-play-security/240147226

By Mathew J. Schwartz
InformationWeek
January 29, 2013

More than 23 million Internet-connected devices are vulnerable to being 
exploited by a single UDP packet, while tens of millions more are at risk of 
being remotely exploited.

That warning was issued Tuesday by vulnerability management and penetration 
testing firm Rapid7, which said its researchers spent six months studying how 
many universal plug and play (UPnP) devices are connected to the Internet -- 
and what the resulting security implications might be. The full findings have 
been documented in a 29-page report, "Security Flaws In Universal Plug and 
Play."

"The results were shocking, to the say the least," according to a blog post 
from report author HD Moore, chief security officer of Rapid7 and the creator 
of the open source penetration testing toolkit Metasploit. "Over 80 million 
unique IPs were identified that responded to UPnP discovery requests from the 
Internet."

UPnP is a set of standardized protocols and procedures that are designed to 
make network-connected and wireless devices easy to use. Devices that use the 
protocol -- which is aimed more at residential users rather than enterprises -- 
include everything from routers and printers to network-attached storage 
devices and smart TVs.

[...]


______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org