A researcher has demonstrated an attack vector that uses Adobe Flash to exploit a vulnerability in networking devices that support UPnP. An attacker only needs to convince a user to open a URL with the malicious file. A successful exploit will open the floodgates to the remote control and configuration of UPnP-enabled devices.
This causes concern, because many vendors ship devices with UPnP enabled by default. The devices that are affected includes routers, cameras, printers, mobile phones, and digital entertainment systems.
Well-known security researcher Petko D. Petkov explains that:
[The exploit] will effectively turn the router and the network it controls into a zombie which the attacker can take advantage of [at will]. It is also possible to reset the admin credentials and create the sort of onion routing network all the bad guys want.
A more technical explanation, according to US-CERT:
This specific attack occurs via a maliciously crafted SWF file that is contained in a Web site. When the Web site is visited, changes may occur to a router’s configuration via UPnP. This may allow an attacker to change any parameter on the router or device that can be set by UPnP.
Read more details about this “highly severe” exploit:
- Hacking The Interwebs (Gnucitizen)
- Flash UPnP Attack FAQ (Gnucitizen)
The US-CERT recommends that users consider disabling UPnP. Have you disabled UPnP on your home router yet?