© 2012
Presented by:
Why UPnP is Awesome
…and Terrifying
Daniel Crowley
© 2012
Who am I?
• Daniel Crowley
• Managing Consultant
• Trustwave – SpiderLabs - AppSec
• dcrowley@trustwave.com
• @dan_...
© 2012© 2012
How UPnP works
© 2012
Phases of UPnP Protocol
• Addressing
• Discovery
• Description
• Control
• Eventing
• Presentation
© 2012© 2012
Addressing
© 2012
Addressing
• Acquire network address
–DHCP
• Associate with multicast group
© 2012© 2012
Discovery
© 2012
Discovery
• M-SEARCH (request)
–HTTPMU
•Multicast
•UDP
–Port 1900
© 2012
Discovery – M-SEARCH
© 2012
Discovery – M-SEARCH
© 2012
Discovery
• NOTIFY
–HTTPMU
•Multicast
•UDP
–Port 1900
© 2012
Discovery - NOTIFY
© 2012© 2012
Description
© 2012
Description
• Unicast HTTP
• Grab/parse UPnP description
xml files
© 2012© 2012
Control
© 2012
Control
• Unicast HTTP
• SOAP
© 2012© 2012
Eventing
© 2012
Eventing
• GENA
– HTTP based
• SUBSCRIBE, POLL and NOTIFY
• May be implemented by UPnP device
© 2012© 2012
Presentation
© 2012
Presentation
• Description phase provides root XML file
• Root XML file can contain presentation URI
• URI is HTTP ...
© 2012© 2012
Awesome
© 2012
Awesome
• Kittens
• Missiles
© 2012
Why it’s awesome
• Universal control protocol
–Traditional network devices
–Network-attached devices
–AV Gear
• Eas...
© 2012© 2012
Terrifying
© 2012
Terrifying
• No authentication built in
– DeviceProtection
– UPnP security
• Some actions exposed are awful
– RunLu...
© 2012
Remote Keystrokes?
© 2012
Arm/Disarm Alarm System?
© 2012
Add entry PINs to door lock?
© 2012
Terrifying
• Being used for:
– Door Locks
– Security Cameras
– Motion Sensors
– Alarm Systems
– Electrical Outlets
© 2012
Terrifying
• Control is built on Unicast HTTP
–CSRF
• Javascript
• Flash
• Silverlight
© 2012
UPnP Daemons
• Full
• Of
•Holes
© 2012
Flaws in UPnP actions
• Traditional application security flaws
–Shell injection
–Memory corruption
© 2012© 2012
Demo
Belkin WeMo
© 2012© 2012
Demo
BubbleUPnP
© 2012
Bibliography
• http://technet.microsoft.com/en-
us/library/bb727027.aspx
• http://tools.ietf.org/html/draft-cohen-g...
Upcoming SlideShare
Loading in …5
×

Why UPnP is awesome and terrifying

6,512 views
6,363 views

Published on

An explanation of how UPnP works, and why it is an inherently dangerous protocol.

Published in: Technology, Business
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
6,512
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
22
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Why UPnP is awesome and terrifying

  1. 1. © 2012 Presented by: Why UPnP is Awesome …and Terrifying Daniel Crowley
  2. 2. © 2012 Who am I? • Daniel Crowley • Managing Consultant • Trustwave – SpiderLabs - AppSec • dcrowley@trustwave.com • @dan_crowley
  3. 3. © 2012© 2012 How UPnP works
  4. 4. © 2012 Phases of UPnP Protocol • Addressing • Discovery • Description • Control • Eventing • Presentation
  5. 5. © 2012© 2012 Addressing
  6. 6. © 2012 Addressing • Acquire network address –DHCP • Associate with multicast group
  7. 7. © 2012© 2012 Discovery
  8. 8. © 2012 Discovery • M-SEARCH (request) –HTTPMU •Multicast •UDP –Port 1900
  9. 9. © 2012 Discovery – M-SEARCH
  10. 10. © 2012 Discovery – M-SEARCH
  11. 11. © 2012 Discovery • NOTIFY –HTTPMU •Multicast •UDP –Port 1900
  12. 12. © 2012 Discovery - NOTIFY
  13. 13. © 2012© 2012 Description
  14. 14. © 2012 Description • Unicast HTTP • Grab/parse UPnP description xml files
  15. 15. © 2012© 2012 Control
  16. 16. © 2012 Control • Unicast HTTP • SOAP
  17. 17. © 2012© 2012 Eventing
  18. 18. © 2012 Eventing • GENA – HTTP based • SUBSCRIBE, POLL and NOTIFY • May be implemented by UPnP device
  19. 19. © 2012© 2012 Presentation
  20. 20. © 2012 Presentation • Description phase provides root XML file • Root XML file can contain presentation URI • URI is HTTP resource for alternate control or view
  21. 21. © 2012© 2012 Awesome
  22. 22. © 2012 Awesome • Kittens • Missiles
  23. 23. © 2012 Why it’s awesome • Universal control protocol –Traditional network devices –Network-attached devices –AV Gear • Ease of device deployment –Self-configuring devices
  24. 24. © 2012© 2012 Terrifying
  25. 25. © 2012 Terrifying • No authentication built in – DeviceProtection – UPnP security • Some actions exposed are awful – RunLua – SetDNSServer – UpdateFirmware
  26. 26. © 2012 Remote Keystrokes?
  27. 27. © 2012 Arm/Disarm Alarm System?
  28. 28. © 2012 Add entry PINs to door lock?
  29. 29. © 2012 Terrifying • Being used for: – Door Locks – Security Cameras – Motion Sensors – Alarm Systems – Electrical Outlets
  30. 30. © 2012 Terrifying • Control is built on Unicast HTTP –CSRF • Javascript • Flash • Silverlight
  31. 31. © 2012 UPnP Daemons • Full • Of •Holes
  32. 32. © 2012 Flaws in UPnP actions • Traditional application security flaws –Shell injection –Memory corruption
  33. 33. © 2012© 2012 Demo Belkin WeMo
  34. 34. © 2012© 2012 Demo BubbleUPnP
  35. 35. © 2012 Bibliography • http://technet.microsoft.com/en- us/library/bb727027.aspx • http://tools.ietf.org/html/draft-cohen-gena-p- base-01 • http://tools.ietf.org/html/draft-cohen-gena-client- 00 • http://www.upnp-hacks.org

×