A networking loophole has made it easy to have a peek at what everyone else is doing by accessing cameras connected to the internet

Who’s watching you? (Image: Moodboard/Corbis)

UNIVERSAL Plug and Play was never meant to be quite so universal. UPnP software was designed to let cameras, printers, digital video recorders and games consoles automatically discover each other’s presence on a network, saving users the hassle of setting them up separately. But last week it emerged that it has instead been quietly making tens of millions of such devices accessible – and in many cases controllable – via the internet.

It means, for instance, that video feeds from CCTV cameras or webcams can be watched at leisure by anybody from peeping Toms to burglars. Scanned documents can be read by strangers and mischievous hackers with a grudge against an organisation can repeatedly send huge jobs to its printers. In a gift to criminals, CCTV footage recorded on digital video recorders can even be deleted, too.

CCTV cameras or webcams could be watched at leisure by anybody from peeping Toms to burglars


UPnP’s exposure was highlighted last week when information-security company Rapid7 in Boston reported on a six-month research programme. Between June and November last year, a team continually scanned for signals from any UPnP-enabled devices announcing their availability for internet connection.

Their findings were astonishing in their breadth. Some 6900 network-aware products from 1500 companies at 81 million internet protocol (IP) addresses responded to their requests. “About 80 per cent of those were home routers, and the rest were devices like cameras and printers that should not have been internet-facing at all,” says lead researcher H. D. Moore. An open router could give an attacker access to its owner’s personal files.

As the news spread, tech websites began running page after page demonstrating just what kinds of things UPnP is making available online: video of babies in their cots at home, a dog being operated on in a veterinary surgery, people working in offices, cafes and shops who do not know that their employer is inadvertently broadcasting their every move.

Developed by the global UPnP Forum, the software add-in was first embedded in Windows XP a decade ago – so that a laptop automatically connects to a wireless network printer, for example. “The problem is that the UPnP protocol has no built-in security. The goal was to make it easy for devices to discover each other without confusing the user – to get them up and running,” says Moore.

The affair highlights the tension inherent in providing ease-of-use on one hand and security on the other. One solution would be for internet service providers (ISPs) to modify their routers to prevent their subscribers’ UPnP traffic being accessed, says Moore. Rapid7 has also written a free, downloadable Windows program that lets people check if their devices are internet facing, notes Jay Abbott of Advanced Security Consulting in Peterborough, UK. “Their one-click check lets you see if this issue affects you or not, so make use of it,” he says.

Like Abbott, Boldizsár Bencsáth at the CrySys Lab in Budapest, Hungary, thinks only time will cure the problem, perhaps as ISPs gradually issue broadband routers secured against UPnP data extraction. “People do not really care to fix vulnerabilities unless it does something like slow down internet access. So I think a lot of vulnerable UPnP devices will remain on the internet for a long time,” he says.

This article appeared in print under the headline “Windows on the world”