Tuesday, January 04, 2005

UPnP - It is unbelievably insecure

Designed by two companies who should have known better (Intel and Microsoft) and now supported by over 725 industry players (see http://www.upnp.org/), UPnP is a security vulnerability waiting to happen. And when it happens, it will happen in a rather big way.

UPnP is a device discovery and control specification that was designed to easy and enhance network communications. It was designed to allow one device (such as a PDA or your Windows XP Home computer) to control another device (such as an air conditioner, home automation, home security or Internet gateway) without needing a password nor any other authentication at all. Now, that is where its vulnerability lies - no authentication is required.

Why on earth would anyone want to allow unauthenticated access to their Internet Gateway (also known as a firewall)? I, for one, think this is a Bad Thing (tm) and when worm authors decide to look at UPnP as another point to attack a network, then all hell will break loose. Malware (virus, worm, trojan, and so on) authors can already disable the Windows XP Firewall due to a stupidity-encouraged design flaw by the Microsoft Security team. Microsoft decided to implement a mechanism whereby another vendor could disable the Windows Firewall during the installation of its third-party firewall simply by asking Microsoft's firewall to turn off. All these Bagle variants have to do is to trigger this mechanism, and the Windows Firewall is disabled, replaced with nothing — well, nothing enhancing your security.

How long will it be before a worm is written that will utilize the UPnP control features and combine this with the 'Disable Windows XP SP2 Firewall' vulnerability to disable not only your personal firewall, but also the firewall of anyone insane enough to enable UPnP? This means that it could disable the hardware firewall on a business or corporate network, if the administrator was 'green' enough to believe Microsoft's hype about UPnP that they preach in their MCP and MCSE courses.

UPnP is something that never should be implemented on any network where the administrator is concerned in any way about security. Firewalls — of all devices — should never have UPnP enabled. It is complete and utter lunacy to use it, and it is complete and utter lunacy for Microsoft to push it as a security tool. It is a security hole waiting to happen.

The Outspoken Wookie

No comments: