why upnp is awesome and terrifying
DESCRIPTION
An explanation of how UPnP works, and why it is an inherently dangerous protocol.TRANSCRIPT
© 2012
Presented by:
Why UPnP is Awesome…and Terrifying
Daniel Crowley
© 2012
Who am I?
• Daniel Crowley• Managing Consultant• Trustwave – SpiderLabs - AppSec• [email protected]• @dan_crowley
© 2012© 2012
How UPnP works
© 2012
Phases of UPnP Protocol
• Addressing• Discovery• Description• Control• Eventing• Presentation
© 2012© 2012
Addressing
© 2012
Addressing
• Acquire network address–DHCP
• Associate with multicast group
© 2012© 2012
Discovery
© 2012
Discovery
• M-SEARCH (request)–HTTPMU•Multicast•UDP
–Port 1900
© 2012
Discovery – M-SEARCH
© 2012
Discovery – M-SEARCH
© 2012
Discovery
• NOTIFY–HTTPMU•Multicast•UDP
–Port 1900
© 2012
Discovery - NOTIFY
© 2012© 2012
Description
© 2012
Description
• Unicast HTTP• Grab/parse UPnP description xml files
© 2012© 2012
Control
© 2012
Control
• Unicast HTTP• SOAP
© 2012© 2012
Eventing
© 2012
Eventing
• GENA– HTTP based
• SUBSCRIBE, POLL and NOTIFY• May be implemented by UPnP device
© 2012© 2012
Presentation
© 2012
Presentation
• Description phase provides root XML file• Root XML file can contain presentation URI• URI is HTTP resource for alternate control or
view
© 2012© 2012
Awesome
© 2012
Awesome
• Kittens• Missiles
© 2012
Why it’s awesome
• Universal control protocol–Traditional network devices–Network-attached devices–AV Gear
• Ease of device deployment–Self-configuring devices
© 2012© 2012
Terrifying
© 2012
Terrifying
• No authentication built in– DeviceProtection– UPnP security
• Some actions exposed are awful– RunLua– SetDNSServer– UpdateFirmware
© 2012
Remote Keystrokes?
© 2012
Arm/Disarm Alarm System?
© 2012
Add entry PINs to door lock?
© 2012
Terrifying
• Being used for:– Door Locks– Security Cameras– Motion Sensors– Alarm Systems– Electrical Outlets
© 2012
Terrifying
• Control is built on Unicast HTTP–CSRF• Javascript• Flash• Silverlight
© 2012
UPnP Daemons
• Full
•Of
•Holes
© 2012
Flaws in UPnP actions
• Traditional application security flaws–Shell injection–Memory corruption
© 2012© 2012
DemoBelkin WeMo
© 2012© 2012
DemoBubbleUPnP
© 2012
Bibliography
• http://technet.microsoft.com/en-us/library/bb727027.aspx
• http://tools.ietf.org/html/draft-cohen-gena-p-base-01
• http://tools.ietf.org/html/draft-cohen-gena-client-00
• http://www.upnp-hacks.org