You know by now that Internet of Things devices like your router are often vulnerable to attack, the industry-wide lack of investment in security leaving the door open to a host of abuses. Worse still, known weaknesses and flaws can hang around for years after their initial discovery. Even decades. And Monday, the content and web services firm Akamai published new findings that it has observed attackers actively exploiting a flaw in devices like routers and video game consoles that was originally exposed in 2006.
Over the last decade, reports have increasingly detailed the flaws and vulnerabilities that can plague insecure implementations of a set of networking protocols called Universal Plug and Play. But where these possibilities were largely academic before, Akamai found evidence that attackers are actively exploiting these weaknesses not to attack the devices themselves, but as a jumping off point for all sorts of malicious behavior, which could include DDoS attacks, malware distribution, spamming/phishing/account takeovers, click fraud, and credit card theft.
To pull that off, hackers are using UPnP weaknesses in commercial routers and other devices to reroute their traffic over and over again until it’s nearly impossible to trace. This creates elaborate “proxy” chains that cover an attacker’s tracks, and create what Akamai calls “multi-purpose proxy botnets.”
“We started talking about how many of these vulnerable devices are out there and what can they be leveraged for, because most people seem to have forgotten about this vulnerability,” says Chad Seaman, a senior engineer on the security intelligence response team at Akamai. “As part of that we had to write some basic tools to find what was vulnerable. And some of these machines did have very abnormal [activity] on them. It was not something that we honestly expected to find and when we did it was kind of like ‘uh oh.’ So this theorized problem is actually being abused by somebody.”
Down With UPnP
UPnP helps devices on a network find and essentially introduce themselves to each other, so that a server, say, can discover and vet the printers on a network. You can find it both on internal, institutional networks and on the larger internet, handling things like IP address routing and data flow coordination. UPnP works with and incorporates other network protocols to negotiate and automatically configure these network communications, and it can be used when applications want to send each other large quantities of data to facilitate a sort of unrestricted firehose—think video streaming, or a gaming console talking to its web server.
‘This theorized problem is actually being abused by somebody.
Chad Seaman, Akamai
When IoT devices expose too many of these mechanisms to the open internet without requiring authentication—or when credential checks are easily guessable or can be brute forced—attackers can then scan for devices that have implemented a few of these protocols badly all in one device, and then exploit this series of manufacturer missteps to launch an attack.
That’s also how the Akamai researchers found the malicious UPnP proxy schemes. Akamai says it found 4.8 million devices on the open internet that would improperly return a certain query related to UPnP. Of those, about 765,000 also had a secondary implementation issue that created a bigger network communication vulnerability. And then on more than 65,000 of those, Akamai saw evidence that attackers had exploited the other weaknesses to inject one or more malicious commands into the router mechanism that controls traffic flow. Those final 65,000 devices were grouped together in various ways and ultimately pointed to 17,599 unique IP addresses for attackers to bounce traffic around to mask their movements.
Uptick in Attacks
Just because they haven’t been seen until recently, that doesn’t mean UPnP attacks haven’t been around. Last month, for example, Symantec published evidence that an espionage group it tracks known as Inception Framework uses UPnP proxying to compromise routers and obscure its cloud communications. But observers note that the strategy is probably not more common because the schemes are difficult to set up.
“In particular it’s annoying to build these attacks against hundreds of personal routers, and testing these attacks is hard too,” says Dave Aitel, who runs the penetration testing firm Immunity. “I’ve not seen it in the wild. That said, a working version would get you significant access.” He notes, though, that data leaks stemming from implementation mistakes, like the ones Akamai detected, make it easier for attackers to craft their attacks. For the manufacturers who developed vulnerable devices? “It falls under the ‘WTF were they thinking’ category,” Aitel says.
Notably, the Akamai researchers saw evidence that UPnP proxying isn’t just being used for malicious activity. It also seems to be part of efforts to skirt censorship schemes in countries like China to gain unfettered web access. Even when a user is behind the Great Firewall, they can use a proxy network built on exposed devices to query web servers that would normally be blocked. Akamai’s Seaman notes that the group approached publishing its research carefully, since plugging these holes will limit people’s ability to exploit them for access to information. Ultimately, though, they concluded that the risks must be addressed, especially given how long the vulnerabilities have been known for.
‘It falls under the “WTF were they thinking” category.’
Dave Aitel, Immunity
Users won’t realize if their devices are being exploited for UPnP proxy attacks, and there is little they can do to defend themselves if they have a vulnerable device besides getting a new one. Some devices will allow users to disable UPnP, but that can lead to functionality issues. Though more and more devices have improved their UPnP implementations over the years to avoid these exposures, Akamai found 73 brands and almost 400 IoT models that are vulnerable in some way. The United States Computer Emergency Readiness Team, which tracks and warns about vulnerabilities, wrote in a note to impacted brands that, “CERT/CC has been notified by Akamai that a large number of devices remain vulnerable to malicious NAT injections. …This vulnerable behavior is a known problem.”
The whole point of proxying is to cover your tracks, so a lot is still unknown about how attackers use UPnP proxying and for what. But Akamai’s goal is to raise awareness about the problem to ultimately reduce the number of vulnerable devices that exist. “It was one of those things where it was like, this would be bad and it could be used for these attacks, but no one ever actually found it being used for that,” Akamai’s Seaman says. Now that it has been, hopefully manufacturers will finally do something about it.