Universal Plug and Play
Universal Plug and Play ( UPnP ) is used for vendor-independent control of devices (audio devices, routers, printers, home controls) over an IP -based network, with or without central control through a residential gateway. It is based on a series of standardized network protocols and data formats.
UPnP was originally introduced by Microsoft; now specifies the UPnP Forum UPnP standard and certifies devices that meet the standard.
- 3.1 vulnerabilities that were discovered in 2013
UPnP is particularly characterized by the following features:
- A control point (eg handheld ), the devices found (eg stereo) without user interaction.
- All transport media that support IP communication can be used, for example, Ethernet, wireless (Bluetooth, Wireless LAN), FireWire ( IEEE 1394).
- There are standardized protocols and procedures such as IP, UDP, Multicast, TCP, HTTP, XML, SOAP, etc..
- A UPnP device or control can be implemented in any IP-enabled operating system and with different programming languages .
- UPnP provides opportunities for vendor-specific extensions.
Sequence (UPnP Networking)
Addressing ( Addressing)
Since the base of UPnP is an IP network, a device or control point must have first have a valid IP address. By what means was this IP address obtained ( eg DHCP, Zeroconf, manual IP configuration ), it does not matter.
Localization ( Discovery )
When a UPnP device has an IP address, it must report to the control points of its existence in the network. This is done via UDP multicast address 126.96.36.199:1900 based on the Simple Service Discovery Protocol ( SSDP ). Also, search the network control points for UPnP devices. In both cases, the "discovery message" contains only the most important information about the device and its services, such as device name, device type and a URL to the detailed description of the device.
Description ( Description)
After a checkpoint has found a device, it obtains via HTTP over TCP / IP, the description of the device from the URL, which was communicated to him in the localization. This is the unit in the form of an XML document is available. The description includes information about the manufacturer, serial number, URL addresses for the control, events and presentation. For each service provided by a device, commands and actions as well as data types and ranges to be specified. The description includes not only the services that it offers, including all embedded devices and their services.
Control ( Control)
Based on the information received from the description document of the device, the control point, he can now send SOAP messages to the control URL of the device to control this.
Event messages ( event notification )
To prevent a device constantly needs to query the state of a service or a status variable (included in the description document of the device), UPnP uses XML-based General Event Notification Architecture ( GENA ). With GENA control points can device status information Subscribe; thus they are automatically notified of every change of a status variable. These are "event messages" sent that contain the state of the subscribed variables that have changed.
Presentation ( Presentation )
Presentation is an alternative to the control and event messages. About the Presentation URL, which will be announced in the description ( Description), can be accessed on the device via a web browser. This gives the manufacturer the opportunity to ask as well as standardized access via UPnP an alternate user interface.
UPnP provides a way to have a simple way for the user router to open ports and corresponding requests from the Internet to pass on a computer which is connected via NAT to the Internet using the IGD protocol (Internet Gateway Device). Such redirects are necessary, for example for file sharing, file transfers in instant messaging programs and video conferencing. While you can set fixed input ports in some programs, for which then the NAT router manual, permanent redirect rules are created (with multiple workstations at each its own port with its own rule), other programs with variable input ports on UPnP dependent, especially if several workstation use these services and not all ports potentially used can be forwarded to a single workstation. For example, the Windows Live Messenger rely on it. Applying it can also programs such as uTorrent in Pidgin 2, Apple iChat, eMule Version 0.48a, Miranda IM Version 0.6, Transmission, Vuze and ANts P2P.
Another common field of application is the distribution of multimedia content on the local network. This files are provided using a UPnP media server on a PC or NAS. Corresponding devices ( UPnP Media Renderer) can search the contents of the server, filter, sort, and of course to play. What formats are played depends on the terminal. UPnP media renderers are offered by various manufacturers for several years.
Vulnerabilities that were discovered in 2013
UPnP should be enabled only on network interfaces for the local network and not reachable from the Internet. In January 2013 announced the security company Rapid7 from Boston that they have been looking in a 6- month project by UPnP devices on the Internet. They found 6900 Products of 1500 manufacturers under 81 million IP addresses that responded to UPnP requests from the Internet. 80 % of the devices are home routers for Internet access, other devices are printers, webcams and surveillance cameras. Using the UPnP protocol can be accessed on these devices, or they can even be manipulated.