Why UPnP is awesome and terrifying

Presented by:

Why UPnP is Awesome…and Terrifying

Daniel Crowley

Who am I?

• Daniel Crowley• Managing Consultant• Trustwave – SpiderLabs - AppSec• dcrowley@trustwave.com• @dan_crowley

How UPnP works

Phases of UPnP Protocol

• Addressing• Discovery• Description• Control• Eventing• Presentation

Addressing

• Acquire network address–DHCP

• Associate with multicast group

Discovery

• M-SEARCH (request)–HTTPMU•Multicast•UDP

–Port 1900

Discovery – M-SEARCH

Discovery

• NOTIFY–HTTPMU•Multicast•UDP

–Port 1900

Discovery - NOTIFY

Description

• Unicast HTTP• Grab/parse UPnP description xml files

Control

• Unicast HTTP• SOAP

Eventing

• GENA– HTTP based

• SUBSCRIBE, POLL and NOTIFY• May be implemented by UPnP device

Presentation

• Description phase provides root XML file• Root XML file can contain presentation URI• URI is HTTP resource for alternate control or

Awesome

• Kittens• Missiles

Why it’s awesome

• Universal control protocol–Traditional network devices–Network-attached devices–AV Gear

• Ease of device deployment–Self-configuring devices

Terrifying

• No authentication built in– DeviceProtection– UPnP security

• Some actions exposed are awful– RunLua– SetDNSServer– UpdateFirmware

Remote Keystrokes?

Arm/Disarm Alarm System?

Add entry PINs to door lock?

Terrifying

• Being used for:– Door Locks– Security Cameras– Motion Sensors– Alarm Systems– Electrical Outlets

Terrifying

• Control is built on Unicast HTTP–CSRF• Javascript• Flash• Silverlight

UPnP Daemons

• Full

•Holes

Flaws in UPnP actions

• Traditional application security flaws–Shell injection–Memory corruption

DemoBelkin WeMo

DemoBubbleUPnP

Bibliography

• http://technet.microsoft.com/en-us/library/bb727027.aspx

• http://tools.ietf.org/html/draft-cohen-gena-p-base-01

• http://tools.ietf.org/html/draft-cohen-gena-client-00

• http://www.upnp-hacks.org

Why UPnP is awesome and terrifying

Technology

Transcript of Why UPnP is awesome and terrifying

“Terrifying Majesty”: The French Absolutist Statefairbanksonline.net/Fairbanks_Online/ID_-_Notes_files/"Terrifying... · “Terrifying Majesty”: The French Absolutist State

UPnP AV WC Status Update (UPnP Summit 2002) John Ritchie UPnP AV Co-Chair Intel Corporation.

UPnP Device Architecture 1upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.0.pdf · UPnP Device Architecture 1.0 . Document Revision Date 15 October 2008 . Note: This document

Most terrifying archaeological discoveries

Abusing Universal Plug and Play - UPnP Hacks: s topics and goals I UPnP history I UPnP protocol stack I debunk common misconceptions about UPnP I show errors in UPnP design I show

UPnP Forum Marketing Committee Update Andrew Liu Co-chair UPnP Forum MC Intel Corporation.

UPnP AV Tutorial

The Terrifying animal

TR-069 UPnP DM Proxy Management GuidelinesA UPnP Control Point that interacts with UPnP devices supporting at least one of the UPnP Device Management services. UPnP DM Device A UPnP

UPnP AV WC Status Update (UPnP Summit 2002)

Terrifying Art

UPnP Device Architecture Tutorial

UPnP QosManager:3 Service Template Version 1upnp.org/specs/qos/UPnP-qos-QosManager-v3-Service.pdf · UPnP QosManager:3 Service Template Version 1.01 For UPnP Version 1.0 Status: Standardized

UPnP™ Device Architecture 1 - GitHub Pagestrinea.github.io/doc/upnp/UPnP-arch-DeviceArchitecture-v1.1.pdf · *Note: The UPnP Forum in no way guarantees the accuracy or completeness

UPnP™ Device Architecture 1 - CoverPagesxml.coverpages.org/UPnP-DA101-20030506.pdf1 Introduction What is UPnP™1 Technology? UPnP™ technology defines an architecture for pervasive

UPnP Device Architecture 1.1

Fractal Analysis analysis.pdf · perfect pattern is called a Fibonacci spiral. Lightning’s terrifying power is both awesome and beautiful. The fractals created by lightning are

UPnP Gateway Working Committee - UPnP Forum

UPNP understanding

UPnP Arch DeviceArchitecture v1.1