Internet Gateway Device specification!), but for some reason these changes never
made it upstream to Broadcom, or were never incorporated by Broadcom.
Broadcom was notified of the problem on March 3, but no reply was given before
the deadline for this paper expired.
4.3 Using UPnP to create random chaos
Aside from adding a portmapping other actions can be performed on an Internet
Gateway Device, including deleting portmappings. Deleting existing portmappings
can disrupt the correct working of programs.
In this paper the focus is on the Internet Gateway Device profile in general and the
WANIPConnection and WANPPPConnection profiles in particular. There are probably
a lot of other opportunities for malice with the other standard profiles, but I have
not tried to hack them, because of lack of devices.
Hacks that come to mind are abusing the LANDevice profile and especially the
LANHostConfigManagement subprofile to shutdown routers or inject false router
or DNS information or adding bogus printers. Devices that implement these de-
vices seem to be a bit rarer than devices that implement the WANIPConnection or
WANPPPConnection profiles. Even though both subprofiles are both part of the In-
ternet Gateway Device profile, not all the subprofiles of the LANDevice subprofile not
have to be implemented, whereas it is mandatory to implement WANIPConnection
or WANIPConnection.
More spectacular hacks would be to abuse HVAC controls with UPnP (these devices
are rarely ever seen in the wild, although there is a UPnP profile for), or remotely
control IP cameras, of which some seem to be using the UPnP AV profile.
5 Other UPnP hacks
UPnP has been in the news a few times in the context of hacking ([10], [11], [14],
mainly in December 2001 when several worms took advantage of the UPnP ports on
Windows client machines via a buffer overflow[12]. The advice for countering this
threat was to turn off UPnP services on the client machines. Another hack was a
Denial of Service Attack on a machine, which would be swamped with notification
messages if other machines sent out tons of fake discovery messages[13].
6 The UPnP Device Security profile
Even though by default there is no security in UPnP that doesn’t mean that it
was completely ignored by the UPnP forum. In fact, a security mechanism, that
devices can implement was developed. There are two profiles, SecurityConsole
and DeviceSecurity. A device that implements the SecurityConsole serves as
some sort of central hub were other devices can request a security policy. The
system is based on PKI.
None of the devices that were tested implement the standard security profile that is
available in the UPnP specifications, or at least, don’t enable it. The sourcecode for
some of the Asus machines (such as the WL500g) actually contains some code for
the DeviceSecurity profile, but it doesn’t seem to be used. An extensive search
on the Internet also didn’t come up with any devices that use any of these profiles.
(210 paginas)
(151 paginas)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentarios a estos manuales