DS
Uploaded byDTM Security
1,967 views

U Plug, We Play - NED Summit. Cork, Ireland

The document presents a talk by David Middlehurst on the security implications of Universal Plug and Play (UPnP) technologies, highlighting common vulnerabilities and the introduction of a new UPnP Pentest Toolkit. It outlines the mechanisms of UPnP device discovery and discusses flaws related to authorization and external traffic that can lead to security risks such as Denial of Service (DoS). The conclusion emphasizes the need for security assessments of UPnP implementations and the toolkit's potential in facilitating such evaluations.

Embed presentation

U Plug, We Play David Middlehurst NEDSummit > Ireland Thursday 13 November 2014
Who am I? David Middlehurst Twitter: @dtmsecurity • Security Consultant • Specialisms: • Application Security • Develops Security Testing Tools • Previous Research • Near Field Communications (NFC) • Virtualisation
Agenda • Brief overview of UPnP • Introduce a new UPnP assessment tool • Tool overview • Demo • Authorisation • Common flaws and their implications • Places you might expect to find vulnerabilities • Conclusion
UPnP Universal Plug and Play (UPnP) allows devices to discover each others presence on a network and identify available services
UPnP – Basic Discovery Two main methods • Devices can announce that they are there by sending a “NOTIFY” packet • Devices can send out an “M-SEARCH” request asking for devices to reveal themselves if they meet the specified requirements
UPnP – NOTIFY Packet Devices periodically send multicast UDP packets to indicate they are online. This includes headers for the type of service they are offering and the URL to the XML device description. NOTIFY * HTTP/1.1 Cache-Control: max-age = 300 Host: 239.255.255.250:1900 Location: http://192.168.0.15:8080/01c18570-b4a4- 4356-8afa-5eeac61aa583/ ST: urn:schemas-upnp- org:service:WANPPPConnection:1 NTS: ssdp:alive SERVER: UPnP-Pentest-Toolkit USN: uuid:85e5f606-c406-4c89-8af3- 5fc4ef27ee18
UPnP – M-SEARCH A device can probe for other UPnP devices by sending an M-SEARCH request. This can include a header asking for devices that have a specific service. M-SEARCH * HTTP/1.1 HOST:239.255.255.250:1900 ST: ssdp:all MAN: "ssdp:discover" MX:2
UPnP – M-SEARCH Devices respond by sending a 'HTTP 1/1 200" response via UDP to the source IP and source port that the M-SEARCH packet originated from. HTTP/1.1 200 OK Cache-Control:max-age = 300 Date: ST: urn:schemas-upnp-org:service:ContentDirectory:1 USN:uuid Location: http://192.168.0.15:8080/01c18570-b4a4-4356- 8afa-5eeac61aa583/ OPT:"http://schemas.upnp.org/upnp/1/0/"; ns=01 01-NLS: Server: UPnP-Pentest-Toolkit Ext:
New Tool Is Born – “UPnP Pentest Toolkit” Motivation: Lack of a security focused tool which provides easy access to the required information and allowed easy interaction and a framework to add new ideas. Aim: The aim of this tool is to bring together a range of UPnP assessment features, enabling a quick security assessment with minimal configuration and set-up.
UPnP Pentest Toolkit Windows GUI tool Written in C# Uses the libraries: • Managed UPnP • PcapDotNet
Discovery
Interaction
Interaction
Spoofing
Spoofing
Learning
Spoofing – Learnt Device
Spoofing – Learnt Device
Windows Enumeration
Windows Network Device Spoofing
What happens if you click?
Demo
Authorisation - Bad Vendor Practices • Mostly: “What do you mean by authorisation?” • Intentional or not you see some security by obscurity •Looking for fixed User Agents •Deviating from the specification slightly
Authorisation - Good Vendor Practices
Flaws – M-SEARCH Spoofing “Devices respond by sending a 'HTTP 1/1 200’ response via UDP to the source IP and source port that the M-SEARCH packet originated from.” • 60% of devices I looked at will respond to any routable destination • Most will send traffic to any port We can cause devices to send UDP traffic to an arbitrary target
Flaws – External Device URL’s NOTIFY * HTTP/1.1 Cache-Control: max-age = 300 Host: 239.255.255.250:1900 Location: http://192.168.0.6:9090/685f34e2-9a75- 49c8-b642-2b1586ad4433/ NT: urn:schemas-upnp- org:service:WANPPPConnection:1 NTS: ssdp:alive SERVER: UPnP-Pentest-Toolkit USN: uuid:685f34e2-9a75-49c8-b642-2b1586ad4433 What happens if we specify a URL outside of the local subnet i.e. the internet • 40% of devices / apps that I looked at will make requests to any routable destination • Most will send traffic to any port We can cause devices to make a TCP connection and HTTP request to an arbitrary target HTTP/1.1 200 OK Cache-Control:max-age = 300 Date:Wed, 25 Jun 2014 22:19:27 GMT ST:upnp:rootdevice USN:uuid:685f34e2-9a75-49c8-b642-2b1586ad4433 Location:http://192.168.0.6:9090/685f34e2-9a75-49c8- b642-2b1586ad4433/ OPT:"http://schemas.upnp.org/upnp/1/0/"; ns=01 01-NLS:2404a5f72618151d22759c04a8cad0b6 Server:UPnP-Pentest-Toolkit Ext:
Flaws – External Traffic Possible implications of UPnP services not taking note of where they are sending traffic • Sounds like Denial of Service (DoS)? • Attacker sends one packet  Multiple packets sent to a target • Attacker sends one packet  Multiple devices send packets to a target • Send a small packet  Bigger packets sent to a target • Influence over audit activity: • Malware Beacon Signatures • Dodgy Web Sites • Port scanning • Trust Boundaries…
Trust Boundaries Connect your work laptop to your home LAN (Untrusted) You have some UPnP service i.e. Running a media player Attacker on your home LAN can cause UDP/TCP traffic on your work LAN (Trusted)
Bugs to look for • Do devices and apps impose limits on the size of files they attempt to download? • Do they assume that all they have to process is a small XML file? • How do they handle traditional XML based attacks? i.e. XML Entity Injection (XXE) • When they have parsed the information do they safely handle it?
Memory Management Many UPnP implementations reviewed have problems i.e. Lots of iOS apps
Where are we heading? “UPnP+ will expand beyond the group's traditional work on devices using Internet Protocol on WiFi LANs to create bridges to wide-area networks and non-IP devices.” "Today there's not a good standard for accessing devices across any network, but UPnP [Forum] is working on it," said Alan Messer, a Samsung researcher in San Jose who is vice president of UPnP [Forum]. From: http://www.eetindia.co.in/ART_8800698124_1800001_NT_8dd16112.HTM
Conclusion • I think UPnP can be a hidden gem on security assessments • Vendor best practices vary to huge degree • I have introduced some common classes of bug. I am sure there are plenty of bugs to be identified. • The future looks even more scary! Watch this space, hopefully I will present on some of this in the years to come • Hopefully UPnP Pentest Toolkit will be a useful tool for people who want to assess UPnP targets or get started in carrying out research in this area
Get UPnP Pentest Toolkit NCC Group GitHub: https://github.com/nccgroup/UPnP-Pentest-Toolkit Goto: upnp.ninja
Keep updated Tool: Via GitHub page or the ‘About’ Dialog Research: Follow @dtmsecurity @nccgroupinfosec
UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Milton Keynes North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland

More Related Content

PPTX
Offence oriented Defence
bySensePost
 
PDF
The state of wireless security
byFilip Waeytens
 
PDF
Heartbleed Overview
bySensePost
 
PPTX
Open Source Software
byAndrew Nolen, MCJ/FP, CDCA
 
PPT
Attacking Embedded Devices (No Axe Required)
bySecurity Weekly
 
PDF
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
bySecurity Weekly
 
PDF
Network Forensics and Practical Packet Analysis
byPriyanka Aash
 
PDF
Cracking Into Embedded Devices - Hack in The Box Dubai 2008
byguest642391
 
Offence oriented Defence
bySensePost
 
The state of wireless security
byFilip Waeytens
 
Heartbleed Overview
bySensePost
 
Open Source Software
byAndrew Nolen, MCJ/FP, CDCA
 
Attacking Embedded Devices (No Axe Required)
bySecurity Weekly
 
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
bySecurity Weekly
 
Network Forensics and Practical Packet Analysis
byPriyanka Aash
 
Cracking Into Embedded Devices - Hack in The Box Dubai 2008
byguest642391
 

What's hot

PDF
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
byPriyanka Aash
 
PPTX
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
byPositive Hack Days
 
PDF
IoT security is a nightmare. But what is the real risk?
byZoltan Balazs
 
PPTX
Pwn phone2014 jrs
bySecurity Weekly
 
PPTX
Practical Security Assessments of IoT Devices and Systems
byOllie Whitehouse
 
PDF
The Internet of Insecure Things: 10 Most Wanted List
bySecurity Weekly
 
PPTX
Fingerprinting and Attacking a Healthcare Infrastructure
byPositive Hack Days
 
PDF
Defcon 22-gregory-pickett-abusing-software-defined-networks
byPriyanka Aash
 
PDF
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
bySecurity Weekly
 
PDF
Defcon 22-tim-mcguffin-one-man-shop
byPriyanka Aash
 
PPTX
Kurt baumgartner lan_deskse2012
byKurt Baumgartner
 
PPTX
Dncybersecurity
byAnne Starr
 
PPTX
Network Management (CEN166) Project Presentation By Matthew Utin
byMatthew Utin, Dip.IT, BSc (Hons) 1st Class
 
PPTX
RPS/APS vulnerability in snom/yealink and others - slides
byCal Leeming
 
PPTX
BSIDES-PR Keynote Hunting for Bad Guys
byJoff Thyer
 
PPTX
44CON @ IPexpo - You're fighting an APT with what exactly?
by44CON
 
PPTX
Presentation.firewell.pptx
byyashukapil
 
PPTX
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
byLastline, Inc.
 
PDF
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
byTom Eston
 
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
byPriyanka Aash
 
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
byPositive Hack Days
 
IoT security is a nightmare. But what is the real risk?
byZoltan Balazs
 
Pwn phone2014 jrs
bySecurity Weekly
 
Practical Security Assessments of IoT Devices and Systems
byOllie Whitehouse
 
The Internet of Insecure Things: 10 Most Wanted List
bySecurity Weekly
 
Fingerprinting and Attacking a Healthcare Infrastructure
byPositive Hack Days
 
Defcon 22-gregory-pickett-abusing-software-defined-networks
byPriyanka Aash
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
bySecurity Weekly
 
Defcon 22-tim-mcguffin-one-man-shop
byPriyanka Aash
 
Kurt baumgartner lan_deskse2012
byKurt Baumgartner
 
Dncybersecurity
byAnne Starr
 
Network Management (CEN166) Project Presentation By Matthew Utin
byMatthew Utin, Dip.IT, BSc (Hons) 1st Class
 
RPS/APS vulnerability in snom/yealink and others - slides
byCal Leeming
 
BSIDES-PR Keynote Hunting for Bad Guys
byJoff Thyer
 
44CON @ IPexpo - You're fighting an APT with what exactly?
by44CON
 
Presentation.firewell.pptx
byyashukapil
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
byLastline, Inc.
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
byTom Eston
 

Similar to U Plug, We Play - NED Summit. Cork, Ireland

PPT
Let's Talk About SOAP, Baby. Let's Talk About UPnP.
byHeadlessZeke
 
PDF
DEF CON 23 - Rickey Lawshae - lets talk about soap
byFelipe Prado
 
PDF
Martin Zeiser, Universal Pwn n Play - pacsec -final
byPacSecJP
 
PDF
UPnP Forum Overview - H Elenbaas
bymfrancis
 
PDF
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
byRapid7
 
PDF
Security flawsu pnp
bylosalamos
 
PPT
Dror-Crazy_toaster
byguest66dc5f
 
PDF
JavaOne Keynote: Programmable Networking is SFW
byJuniper Developer Resources Cooney
 
PDF
Programmable WAN Networking is SFW
byJuniper Developer Resources Cooney
 
PPT
Upnp
byViv EK
 
PPTX
JavaScript powering the dream of the connected home
byRodrigo Fernandez
 
PPT
Connecting the EPC Network to Mobile Phones
byDominique Guinard
 
PDF
X-Device Service Discovery
byTekObserver
 
PDF
From Home Enabled Personal Media To Instant Personal Media Sharing
byguest829cce0
 
PDF
Practical security testing for lte networks
byPfedya
 
PDF
SNMP Monitoring at scale - Icinga Camp Milan 2023
byIcinga
 
PPTX
Using network traffic to verify mobile device forensic artifacts
bySongchaiDuangpan
 
PDF
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)
byClubHack
 
PDF
Sfa community of practice a natural way of building
byChuck Speicher
 
PDF
Extending UPnP for Application Interoperability in a Home Network
byIJECEIAES
 
Let's Talk About SOAP, Baby. Let's Talk About UPnP.
byHeadlessZeke
 
DEF CON 23 - Rickey Lawshae - lets talk about soap
byFelipe Prado
 
Martin Zeiser, Universal Pwn n Play - pacsec -final
byPacSecJP
 
UPnP Forum Overview - H Elenbaas
bymfrancis
 
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
byRapid7
 
Security flawsu pnp
bylosalamos
 
Dror-Crazy_toaster
byguest66dc5f
 
JavaOne Keynote: Programmable Networking is SFW
byJuniper Developer Resources Cooney
 
Programmable WAN Networking is SFW
byJuniper Developer Resources Cooney
 
Upnp
byViv EK
 
JavaScript powering the dream of the connected home
byRodrigo Fernandez
 
Connecting the EPC Network to Mobile Phones
byDominique Guinard
 
X-Device Service Discovery
byTekObserver
 
From Home Enabled Personal Media To Instant Personal Media Sharing
byguest829cce0
 
Practical security testing for lte networks
byPfedya
 
SNMP Monitoring at scale - Icinga Camp Milan 2023
byIcinga
 
Using network traffic to verify mobile device forensic artifacts
bySongchaiDuangpan
 
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)
byClubHack
 
Sfa community of practice a natural way of building
byChuck Speicher
 
Extending UPnP for Application Interoperability in a Home Network
byIJECEIAES
 

Recently uploaded

PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
AI Technology important knowledge ......
byutkarshj2007
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PDF
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
PDF
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
PDF
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
The year in review - MarvelClient in 2025
bypanagenda
 
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
December Patch Tuesday
byIvanti
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
AI Technology important knowledge ......
byutkarshj2007
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 

U Plug, We Play - NED Summit. Cork, Ireland

  • 1.
    U Plug, WePlay David Middlehurst NEDSummit > Ireland Thursday 13 November 2014
  • 2.
    Who am I? DavidMiddlehurst Twitter: @dtmsecurity • Security Consultant • Specialisms: • Application Security • Develops Security Testing Tools • Previous Research • Near Field Communications (NFC) • Virtualisation
  • 3.
    Agenda • Brief overviewof UPnP • Introduce a new UPnP assessment tool • Tool overview • Demo • Authorisation • Common flaws and their implications • Places you might expect to find vulnerabilities • Conclusion
  • 4.
    UPnP Universal Plug andPlay (UPnP) allows devices to discover each others presence on a network and identify available services
  • 5.
    UPnP – BasicDiscovery Two main methods • Devices can announce that they are there by sending a “NOTIFY” packet • Devices can send out an “M-SEARCH” request asking for devices to reveal themselves if they meet the specified requirements
  • 6.
    UPnP – NOTIFYPacket Devices periodically send multicast UDP packets to indicate they are online. This includes headers for the type of service they are offering and the URL to the XML device description. NOTIFY * HTTP/1.1 Cache-Control: max-age = 300 Host: 239.255.255.250:1900 Location: http://192.168.0.15:8080/01c18570-b4a4- 4356-8afa-5eeac61aa583/ ST: urn:schemas-upnp- org:service:WANPPPConnection:1 NTS: ssdp:alive SERVER: UPnP-Pentest-Toolkit USN: uuid:85e5f606-c406-4c89-8af3- 5fc4ef27ee18
  • 7.
    UPnP – M-SEARCH Adevice can probe for other UPnP devices by sending an M-SEARCH request. This can include a header asking for devices that have a specific service. M-SEARCH * HTTP/1.1 HOST:239.255.255.250:1900 ST: ssdp:all MAN: "ssdp:discover" MX:2
  • 8.
    UPnP – M-SEARCH Devicesrespond by sending a 'HTTP 1/1 200" response via UDP to the source IP and source port that the M-SEARCH packet originated from. HTTP/1.1 200 OK Cache-Control:max-age = 300 Date: ST: urn:schemas-upnp-org:service:ContentDirectory:1 USN:uuid Location: http://192.168.0.15:8080/01c18570-b4a4-4356- 8afa-5eeac61aa583/ OPT:"http://schemas.upnp.org/upnp/1/0/"; ns=01 01-NLS: Server: UPnP-Pentest-Toolkit Ext:
  • 9.
    New Tool IsBorn – “UPnP Pentest Toolkit” Motivation: Lack of a security focused tool which provides easy access to the required information and allowed easy interaction and a framework to add new ideas. Aim: The aim of this tool is to bring together a range of UPnP assessment features, enabling a quick security assessment with minimal configuration and set-up.
  • 10.
    UPnP Pentest Toolkit WindowsGUI tool Written in C# Uses the libraries: • Managed UPnP • PcapDotNet
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
    What happens ifyou click?
  • 22.
  • 23.
    Authorisation - BadVendor Practices • Mostly: “What do you mean by authorisation?” • Intentional or not you see some security by obscurity •Looking for fixed User Agents •Deviating from the specification slightly
  • 24.
    Authorisation - GoodVendor Practices
  • 25.
    Flaws – M-SEARCHSpoofing “Devices respond by sending a 'HTTP 1/1 200’ response via UDP to the source IP and source port that the M-SEARCH packet originated from.” • 60% of devices I looked at will respond to any routable destination • Most will send traffic to any port We can cause devices to send UDP traffic to an arbitrary target
  • 26.
    Flaws – ExternalDevice URL’s NOTIFY * HTTP/1.1 Cache-Control: max-age = 300 Host: 239.255.255.250:1900 Location: http://192.168.0.6:9090/685f34e2-9a75- 49c8-b642-2b1586ad4433/ NT: urn:schemas-upnp- org:service:WANPPPConnection:1 NTS: ssdp:alive SERVER: UPnP-Pentest-Toolkit USN: uuid:685f34e2-9a75-49c8-b642-2b1586ad4433 What happens if we specify a URL outside of the local subnet i.e. the internet • 40% of devices / apps that I looked at will make requests to any routable destination • Most will send traffic to any port We can cause devices to make a TCP connection and HTTP request to an arbitrary target HTTP/1.1 200 OK Cache-Control:max-age = 300 Date:Wed, 25 Jun 2014 22:19:27 GMT ST:upnp:rootdevice USN:uuid:685f34e2-9a75-49c8-b642-2b1586ad4433 Location:http://192.168.0.6:9090/685f34e2-9a75-49c8- b642-2b1586ad4433/ OPT:"http://schemas.upnp.org/upnp/1/0/"; ns=01 01-NLS:2404a5f72618151d22759c04a8cad0b6 Server:UPnP-Pentest-Toolkit Ext:
  • 27.
    Flaws – ExternalTraffic Possible implications of UPnP services not taking note of where they are sending traffic • Sounds like Denial of Service (DoS)? • Attacker sends one packet  Multiple packets sent to a target • Attacker sends one packet  Multiple devices send packets to a target • Send a small packet  Bigger packets sent to a target • Influence over audit activity: • Malware Beacon Signatures • Dodgy Web Sites • Port scanning • Trust Boundaries…
  • 28.
    Trust Boundaries Connect yourwork laptop to your home LAN (Untrusted) You have some UPnP service i.e. Running a media player Attacker on your home LAN can cause UDP/TCP traffic on your work LAN (Trusted)
  • 29.
    Bugs to lookfor • Do devices and apps impose limits on the size of files they attempt to download? • Do they assume that all they have to process is a small XML file? • How do they handle traditional XML based attacks? i.e. XML Entity Injection (XXE) • When they have parsed the information do they safely handle it?
  • 30.
    Memory Management Many UPnPimplementations reviewed have problems i.e. Lots of iOS apps
  • 31.
    Where are weheading? “UPnP+ will expand beyond the group's traditional work on devices using Internet Protocol on WiFi LANs to create bridges to wide-area networks and non-IP devices.” "Today there's not a good standard for accessing devices across any network, but UPnP [Forum] is working on it," said Alan Messer, a Samsung researcher in San Jose who is vice president of UPnP [Forum]. From: http://www.eetindia.co.in/ART_8800698124_1800001_NT_8dd16112.HTM
  • 32.
    Conclusion • I thinkUPnP can be a hidden gem on security assessments • Vendor best practices vary to huge degree • I have introduced some common classes of bug. I am sure there are plenty of bugs to be identified. • The future looks even more scary! Watch this space, hopefully I will present on some of this in the years to come • Hopefully UPnP Pentest Toolkit will be a useful tool for people who want to assess UPnP targets or get started in carrying out research in this area
  • 33.
    Get UPnP PentestToolkit NCC Group GitHub: https://github.com/nccgroup/UPnP-Pentest-Toolkit Goto: upnp.ninja
  • 34.
    Keep updated Tool: Via GitHubpage or the ‘About’ Dialog Research: Follow @dtmsecurity @nccgroupinfosec
  • 35.
    UK Offices Manchester -Head Office Cheltenham Edinburgh Leatherhead London Milton Keynes North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland