A researcher has demonstrated an attack vector that uses Adobe Flash to exploit a vulnerability in networking devices that support UPnP. An attacker only needs to convince a user to open a URL with the malicious file. A successful exploit will open the floodgates to the remote control and configuration of UPnP-enabled devices.This causes concern, because many vendors ship devices with UPnP enabled by default. The devices that are affected includes routers, cameras, printers, mobile phones, and digital entertainment systems. Well-known security researcher Petko D. Petkov explains that:
[The exploit] will effectively turn the router and the network it controls into a zombie which the attacker can take advantage of [at will]. It is also possible to reset the admin credentials and create the sort of onion routing network all the bad guys want.
This specific attack occurs via a maliciously crafted SWF file that is contained in a Web site. When the Web site is visited, changes may occur to a router's configuration via UPnP. This may allow an attacker to change any parameter on the router or device that can be set by UPnP.Read more details about this "highly severe" exploit:
The US-CERT recommends that users consider disabling UPnP. Have you disabled UPnP on your home router yet?
Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.