UPnP is short for Universal Plug and Play. UPnP is an architecture that defines peer-to-peer connectivity of PCs and intelligent devices (or instruments). Built upon Internet standards and technologies (such
as TCP/IP, HTTP, and XML), UPnP allows such devices to connect to and collaborate with each other automatically, thus making it possible for the network (especially home networks) to be accessible to more people. Therefore, many routers have this service that is publicly available. Within the UPnP protocol stack, Simple Service Discovery Protocol (SSDP) is used to discover devices in the local area network (LAN) and Simple Object Access Protocol (SOAP) is used for device control. For more basic knowledge of UPnP and vulnerability introduction, refer to NSFOCUS’s 2018 Annual IoT Security Report 1.
As for devices with the UPnP SSDP service publicly available, China, South Korea, Venezuela, the USA, and Japan had the most such devices exposed. Meanwhile, we found that devices exposed in Russia registered a decrease of 84% as compared to 2018. It is estimated that related Russian authorities had pushed forward UPnP governance.
46.9% of UPnP devices made the SOAP service accessible and 61% of the devices contained mediumrisk or above vulnerabilities. Attackers could exploit these vulnerabilities to take full control of these devices or launch attacks to cause them to crash.
Of 390,000 devices with port mapping publicly accessible, a total of 63,000 devices were found to be affected by more than one type of malicious behavior and some suffered several kinds of intrusions.
Up to 45,000 devices experienced intranet intrusions and approximately 30,000 were detected to be broken into by a malicious proxy. Figure 7-12 shows the global distribution of devices with or without port mapping publicly accessible and the global distribution of such devices infected or uninfected with malicious behavior. China was home to the most devices with port mapping exposed and most devices infected with malicious behaviors.
We captured four kinds of UPnP exploits1 , as listed in Table 7.4. Apparently, all the exploits targeted remote command execution vulnerabilities. Besides, we found that when this vulnerability occurred at a specific port, attackers usually directly attacked this port by skipping the UPnP discovery phase.
Upon deduplication of source IP addresses indicated in UPnP logs, we found that about 29.6% of IP addresses exploited UPnP vulnerabilities. We analyzed the global distribution of source IP addresses and discovered that China was home to the most attack sources. Our further analysis revealed that 90% of attacks in China were sourced from Taiwan and China Mainland had attack sources of the same order of magnitude as Russia and the USA.
To be continued.
