Millions vulnerable UPnP devices vulnerable to attack

Pierluigi Paganini October 16, 2014

Researchers at Akamai firm have issued a report on reflection and amplification DDoS attacks exploiting vulnerable UPnP devices worldwide.

Researchers at Akamai firm have observed an increase of new reflection and amplification DDoS attacks exploiting Internet of Things devices (e.g. SOHO devices, routers, media servers, web cams, smart TVs and printers), which that misuses communications protocols. The data is in line with the findings of the report recently issued by Arbor Networks related to DDoS attack observed in Q3 2014.

As explained in the report issued by Akamai, the SSDP protocol abused by threat actors are ordinary used by such devices to communicate each other and to coordinate activities with various equipments. The IoT devices exposed on the Internet are targeted by bad actors that compromise them to coordinate major attacks against enterprise targets.

“PLXsert has observed the use of a new reflection and amplification distributed denial of service (DDoS) attack that abuses the Simple Service Discovery Protocol (SSDP). This protocol is part of the Universal Plug and Play (UPnP) Protocol standard. SSDP comes enabled on millions of home and office devices” states the report from Akamai.

The experts discovered an amazing number of Internet-facing UPnP devices that are potentially vulnerable to cyber attacks, more than 4.1 million units that threat actors could compromise them and recruit these resources in reflection DDoS attack.

“Malicious actors are using this new attack vector to perform large-scale DDoS attacks. The Prolexic Security Engineering & Response Team (PLXsert) began seeing attacks from UPnP devices in July, and they have become common,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai.  The number of UPnP devices that will behave as open reflectors is vast, and many of them are home-based Internet-enabled devices that are difficult to patch. Action from firmware, application and hardware vendors must occur in order to mitigate and manage this threat,” 

It has been estimated that nearly 38 percent of the 11 million devices deployed worldwide are at risk. Experts at Akamai have shared a list of potentially exploitable UPnP devices with other experts in an effort to collaborate with cleanup and mitigation efforts of this threat.

“The Simple Object Access Protocol (SOAP) is used to deliver control messages to UPnP devices and pass information back from the devices. Attackers have discovered that SOAP requests can be crafted to elicit a response that reflects and amplifies a packet, which can be redirected towards a target. By employing a great number of devices, attackers create large quantities of attack traffic that can be aimed at selected target” states the report.

How does the DDoS attack against the UPnP devices work?

  • Attackers send a SOAP request (M-SEARCH) to a UPnP-enabled device, the M-SEARCH packet identifies vulnerable devices. The process could be automated using custom-made scripts.
  • The device responds with the HTTP location of its device XML description file.
  • Once identified a list of vulnerable UPnP devices, the attacker will send malicious requests spoofing the address of the target and causing a reflected and amplified response. The volume of traffic generated depends on many factors, including the size of the device description file, operating system and UUID.
  • According to PLXsert that has measured the amplification factor of the attacks running through the UPnP devices and it is approximately 33 percent.

The analysis of the Geographic distribution of vulnerable UPnP devices reveals that Korea is the country with the largest number of units, followed by the U.S., Canada, China, Argentina and Japan.

vulnerable UPnP devices

IoT devices are a privileged target as highlighted recently by the Europol, the European agency citing a December 2013 report by US security firm IID, warned of the first murder via “hacked internet-connected device” by the end of 2014.”

Recently security experts at Akamai have spotted a new malware kit named Spike which is used by bad actors to run DDoS attacks through desktops and Internet of Things devices.

“These attacks are an example of how fluid and dynamic the DDoS crime ecosystem can be,” explained Scholly. “Malicious actors identify, develop and incorporate new resources and attack vectors into their arsenals. It’s predictable that they will develop, refine and monetize these UPnP attack payloads and tools in the near future.”

As discussed in the last 2015 Europol-INTERPOL cybercrime conference IoE is a paradigm that most of all could be exploited by a cybercrime syndicate in the next future.

The complete report could be download here.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – DDoS, Akamai)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment