Millions of IoT devices still at risk from bug fixed three years ago
December 10, 2015
More than six million IoT devices are still at risk from remote code execution attacks due to vulnerabilities that were fixed three years ago, according to mobile threats analyst Veo Zhang.
The vulnerabilities exist in the portable SDK for UPnP devices, also called Libupnp. This particular library is used to implement media playback (DLNA) or NAT traversal (UPnP IGD). Apps on a smartphone can use these features to play media files or connect to other devices within a user’s home network.
“These vulnerabilities were actually fixed in December 2012, however many apps still use the older, vulnerable version of the SDK,” said Zhang in a Trend Micro blog post. “We found 547 apps that used older versions of Libupnp, 326 of which are available on the Google Play store, including high-profile apps such as Netflix and Tencent QQMusic. These are very popular apps that put millions of users in danger; aside from mobile devices, routers and smart TVs are all at risk as well.”
The vulnerability lies in how the Libupnp library handles SSDP simple service discovery protocol packets. This protocol is part of the Universal Plug N’ Play (UPnP) standard. The stack overflow occurs during this process, and requires that the UDP port 1900 be open. A specially crafted packet can be used to overflow buffers. The TempBuf buffer can overflow and cause a crash.
“With further research an exploit could be used not just to cause a crash, but to run arbitrary code on an affected device,” said Zhang. “The ability to run arbitrary code would give the attacker the ability to take control of the device, as on a PC. We have seen exploits in the wild targeting devices that do not use mitigation protections such as stack canaries, DEP, and ASLR. For well protected systems, we do not know of exploits that are currently capable of remote code execution.”
He said the researchers had confirmed that in at least 20 apps, the vulnerable Libupnp library could be activated.