Millions vulnerable UPnP devices vulnerable to attack

Researchers at Akamai firm have issued a report on reflection and amplification DDoS attacks exploiting vulnerable UPnP devices worldwide.

Researchers at Akamai firm have observed an increase of new reflection and amplification DDoS attacks exploiting Internet of Things devices (e.g. SOHO devices, routers, media servers, web cams, smart TVs and printers), which that misuses communications protocols. The data is in line with the findings of the report recently issued by Arbor Networks related to DDoS attack observed in Q3 2014.

As explained in the report issued by Akamai, the SSDP protocol abused by threat actors are ordinary used by such devices to communicate each other and to coordinate activities with various equipments. The IoT devices exposed on the Internet are targeted by bad actors that compromise them to coordinate major attacks against enterprise targets.

“PLXsert has observed the use of a new reflection and amplification distributed denial of service (DDoS) attack that abuses the Simple Service Discovery Protocol (SSDP). This protocol is part of the Universal Plug and Play (UPnP) Protocol standard. SSDP comes enabled on millions of home and office devices” states the report from Akamai.

The experts discovered an amazing number of Internet-facing UPnP devices that are potentially vulnerable to cyber attacks, more than 4.1 million units that threat actors could compromise them and recruit these resources in reflection DDoS attack.

“Malicious actors are using this new attack vector to perform large-scale DDoS attacks. The Prolexic Security Engineering & Response Team (PLXsert) began seeing attacks from UPnP devices in July, and they have become common,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai. The number of UPnP devices that will behave as open reflectors is vast, and many of them are home-based Internet-enabled devices that are difficult to patch. Action from firmware, application and hardware vendors must occur in order to mitigate and manage this threat,”

It has been estimated that nearly 38 percent of the 11 million devices deployed worldwide are at risk. Experts at Akamai have shared a list of potentially exploitable UPnP devices with other experts in an effort to collaborate with cleanup and mitigation efforts of this threat.

“The Simple Object Access Protocol (SOAP) is used to deliver control messages to UPnP devices and pass information back from the devices. Attackers have discovered that SOAP requests can be crafted to elicit a response that reflects and amplifies a packet, which can be redirected towards a target. By employing a great number of devices, attackers create large quantities of attack traffic that can be aimed at selected target” states the report.

How does the DDoS attack against the UPnP devices work?

Attackers send a SOAP request (M-SEARCH) to a UPnP-enabled device, the M-SEARCH packet identifies vulnerable devices. The process could be automated using custom-made scripts.
The device responds with the HTTP location of its device XML description file.
Once identified a list of vulnerable UPnP devices, the attacker will send malicious requests spoofing the address of the target and causing a reflected and amplified response. The volume of traffic generated depends on many factors, including the size of the device description file, operating system and UUID.
According to PLXsert that has measured the amplification factor of the attacks running through the UPnP devices and it is approximately 33 percent.

The analysis of the Geographic distribution of vulnerable UPnP devices reveals that Korea is the country with the largest number of units, followed by the U.S., Canada, China, Argentina and Japan.

IoT devices are a privileged target as highlighted recently by the Europol, the European agency citing a December 2013 report by US security firm IID, warned of the first murder via “hacked internet-connected device” by the end of 2014.”

Recently security experts at Akamai have spotted a new malware kit named Spike which is used by bad actors to run DDoS attacks through desktops and Internet of Things devices.

“These attacks are an example of how fluid and dynamic the DDoS crime ecosystem can be,” explained Scholly. “Malicious actors identify, develop and incorporate new resources and attack vectors into their arsenals. It’s predictable that they will develop, refine and monetize these UPnP attack payloads and tools in the near future.”

As discussed in the last 2015 Europol-INTERPOL cybercrime conference IoE is a paradigm that most of all could be exploited by a cybercrime syndicate in the next future.

The complete report could be download here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – DDoS, Akamai)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.