A Fox In The Hen House - Upnp Igd presented at HITBSecConf Malaysia 2008

by Jonathan Squire,

Tags: Security Infrastructure Wireless Web Media

Summary : Presentation Title:Presentation Abstract:Easy is the mantra of consumer devices these days. “Just plug it in and it works. No configuration needed.” All this simplicity hopefully causes one to pause and wonder, how is this possible?This presentation will demonstrate the dangers of the often overlooked Universal Plug and Play (UPnP) Internet Gateway Device (IGD) profile. UPnP IGD is commonly enabled on modern home cable modem/wireless routers. UPnP IGD allows applications such as games and chat clients to request needed port forwards without the user’s intervention. Many of these routers do not even display these port mappings in their administrative interfaces.In this presentation we will walk the audience through the simple steps needed to modify the port mappings on a common wireless router and discuss some of the potential attacks that can be performed. Sample code will be demonstrated that dynamically adds and removes port forwarding rules from the router to expose internal services to the internet. This simple attack is performed without any need for authentication and the new forwarding rules generally aren’t visible in the web interface of the router.About JonathanJonathan Squire is a founding member of the Information Security Group of a well known publishing and media company. While working at his day job, Jonathan is credited with accomplishments that include developing an Information Security model for the enterprise, architecting a secure, centralized credit card processing solution, and guiding the design of the security infrastructure deployed throughout many customer facing properties. Mr. Squire is also responsible for providing direction in governance and industry best practices. In his spare time, Jonathan is known to enjoy disassembling any piece of technology that cost more than $20 just to find out what else it can do. This propensity for abusing technology is easily witnessed by viewing the buckets of broken parts strewn throughout his basement as well as the creations that rise from the rubble.