Millions of smart TVs, routers and phones are at risk due to a presence of a 3-year-old vulnerability in a software they use. According to the experts at Trend Micro, the security flaw hasn’t been patched by many vendors despite the availability of a patch since 2012.
“A total of 6.1 million devices – smart phones, routers, smart TVs – are currently at risk to remote code execution attacks due to vulnerabilities that have been fixed since 2012.” wrote Veo Zhang, a mobile threats analyst at Trend Micro. “The vulnerabilities exist in the Portable SDK for UPnP™ Devices, also called libupnp. This particular library is used to implement media playback (DLNA) or NAT traversal (UPnP IGD). Apps on a smartphone can use these features to play media files or connect to other devices within a user’s home network.”
Trend Micro discovered that 547 apps that use an unpatched version of the software component, 326 are available in Google’s Play app store and most of the apps are very popular and used by million users. One of the affected apps is QQMusic that is distributed by Tencent, the company promptly released an update for the Android app on Nov. 23 after the disclosure of the news.
“These are very popular apps that put millions of users in danger; aside from mobile devices, routers, and smart TVs are all at risk as well,” he added.
We discussed several times about smart devices, aka IoT devices, and their capability to gather and share huge quantities of information, including sensitive data, raising serious concerns in term of privacy.
Our surface of attack is enlarging as never before, both in workplace and in the private life, experts in the security industry sustain that the majority of IoT vendors doesn’t adopt a security by design approach. It is quite common to find smart objects poorly configured or affected by critical security flaws.
In this specific case emerges the inability of manufacturers to implement an efficient patch management. Million of vulnerable devices, such as routers and smart TVs, are exposed on the Internet.
The experts at Trend Micro confirmed that threat actors are already attacking these vulnerable devices, exploiting the flaws the attackers would take complete control of the targeted system.
Once identified a vulnerable device, an attacker can send a specially crafted packet to trigger a buffer overflow. In the code below, the TempBuf buffer can overflow and cause a crash.
“With further research an exploit could be used not just to cause a crash, but to run arbitrary code on an affected device. The ability to run arbitrary code would give the attacker the ability to take control of the device, as on a PC.” continues the post. “We have seen exploits in the wild targeting devices that do not use mitigation protections such stack canaries, DEP, and ASLR. For well protected systems, we do not know of exploits that are currently capable of remote code execution.”
The security vulnerability affects the ‘libupnp’ code library inside the Portable SDK for UPnP Devices, it is used to playback media and also for NAT functionalities.
Below a list of the most popular affected apps:
Common Name | Package Name |
AirSmartPlayer | com.gk.airsmart.main |
Big2Small | com.alitech.dvbtoip |
CameraAccess plus | jp.co.pixela.cameraaccessplus |
G-MScreen | mktvsmart.screen |
HexLink Remote (TV client) | hihex.sbrc.services |
HexLink-SmartTV remote control | com.hihex.hexlink |
Hisense Android TV Remote | com.hisense.commonremote |
Netflix | com.netflix.mediaclient |
nScreen Mirroring for Samsung | com.ht.nscreen.mirroring |
Ooredoo TV Oman | com.ooredootv.ooredoo |
PictPrint – WiFi Print App – | jp.co.tandem.pictprint |
qa.MozaicGO.Android | Mozaic GO |
QQMusic | com.tencent.qqmusic |
QQ音乐HD | com.tencent.qqmusicpad |
Smart TV Remote | com.hisense.common |
Wifi Entertainment | com.infogo.entertainment.wifi |
モバイルTV(StationTV) | jp.pixela.px01.stationtv.localtuner.full.app |
에브리온TV (무료 실시간 TV) | com.everyontv |
多屏看看 | com.letv.smartControl |
海信分享 | com.hisense.hishare.hall |
(Security Affairs – smart devices, libupnp library)