Outdated software on UPnP-enabled devices exposes them to attacks designed to exploit a wide range of vulnerabilities found in UPnP libraries used by various daemons and servers reachable over the Internet.

Out of the 1,648,769 results found using the Shodan search engine for Internet-connected devices, Trend Micro's Tony Yang home network researcher discovered that 35% were using the MiniUPnPd UPnP daemon for NAT routers, while about 20% came with Broadcom’s UPnP library.

The abundance of devices that can be accessed over the Internet and have Universal Plug and Play (UPnP) enabled is quite worrying considering the highly successful attack against Chromecast adapters, Smart TVs, and Google Home which used them to play a YouTube video promoting PewDiePie's channel.

"The hackers behind it reportedly took advantage of poorly configured routers that had the Universal Plug and Play (UPnP) service enabled, which caused the routers to forward public ports to the private devices and be open to the public internet," says Yang.

Number of devices with UPnP enabled by country

Devices with UPnP enabled previously abused on a large scale

While that attack wasn't malicious in nature and it didn't try to steal data or impact in any damaging way the devices it managed to compromise, the story would have been a lot different if that were the case.

Bad actors have used UPnP vulnerabilities in the past to abuse this type of devices, with an Akamai study discovering that cyber-espionage groups (APTs) and botnet operators were using tens of thousands of routers that had UPnP toggled on to proxy their traffic and conceal their real location from investigators.

"In initial Internet-wide scans, over 4.8 million devices were found to be vulnerable to simple UDP SSDP (the UDP portion of UPnP) inquiries. Of these, roughly 765,000 (16% of total) of the identified devices were confirmed to also expose their vulnerable TCP implementations," Akamai also said in the paper (.PDF) published during November 2018.

Also, "Over 65,000 (9% of vulnerable, 1.3% of total) of these vulnerable devices were discovered to have NAT injections, where at least one instance of a NewInternalClient pointed to an IP that was Internet-routable."

Old firmware comes with exploitable vulnerabilities

As detailed by Trend Micro's research, cameras, printers, NAS devices, Smart TVs, and routers which use UPnP for streaming, sharing, and service discovery are also the ones behind security holes which help potential attackers bypass firewalls and reach their local network.

Trend Micro found that "most devices still use old versions of UPnP libraries. Vulnerabilities involving the UPnP libraries have been years old, are potentially unpatched, and leave connected devices unsecure against attacks."

The MiniUPnPd library found on 16% of all publicly searchable UPnP-enabled devices which now reached the 2.1 release is present on only 0.39% of them, while the initial version can be found on 24.47% and another 29.98% come with MiniUPnPd 1.6.

This means that a vast majority of them are vulnerable, with at least three different security issues being present in various versions of the library:

• CVE-2013-0230, a stack-based buffer overflow in MiniUPnPd 1.0 allows attackers to execute arbitrary code.

• CVE-2013-0229, a vulnerability found MiniUPnPd before 1.4, allows attackers to cause a denial of service (DoS)

• CVE-2017-1000494, an uninitialized stack variable flaw in MiniUPnPd

Additionally, 18% of the UPnP-enabled devices reachable over the Internet are using Windows UPnP Server and roughly 5% of them feature a libupnp library installation.

This collection of devices also came with old their own set of unpatched software versions, which bundle an assortment of UPnP memory corruption, and stack-based buffer overflow vulnerabilities readily available for attackers to execute arbitrary code.

To make sure that the Internet-connect devices in their home aren't left exposed and vulnerable to attacks from outside their local networks, users need to disable the UPnP feature whenever possible and always keep their devices' firmware up to date.

"If a device is suspected of being infected, the device should be rebooted, reset to the original factory settings, or, to err on the side of caution, altogether replaced," the Trend Micro researcher concluded.