Discussion in 'Article Discussion' started by Gareth Halfacree, 30 Jan 2013.
Bad implementation leaves data at risk.
I was hoping to wake to "googe launches new monster graphics card that indexes web when not in use - therefore free for everyone" instead, i got "your router might be helping the baddies"
Comments on the white paper:
"Exploit checker released with this article requires JAVA to be installed on the computer.... but we already deleted Java per recommendations of exploitable flaws"...
Why has this taken so long to be made so public is it because so much tech is now connectable using UPnP, everything from phones to smart TV's (Oh no, has google been tracking what TV programs I watch ) use it as most people are not going to be port forwarding their routers to allow these devices internet access.
From what I have been reading on this subject IT Admins never allow UPnP anyway as they are obviously aware of the vulnerability so it's mainly home users and the ports UPnP uses (UDP port 1900 and TCP port 2869) are not common ports which you would have open to the internet anyway.
With so many machines seemingly vulnerable why has this exploit not been used more or have people just not realized that it has been used? Surely if it was so easy to access a machine via UPnP then hackers would use this method rather than trying to get malware on PC's which can then often open ports and allow access?
The fact that UPnP remains active even when apparently disabled in some routers is a concern so might be worth doing a port check at "Shields Up" to confirm that the ports are closed after being disabled in your router.
Strange, any mention of peoples privacy/info having been compromised by the likes of google, accidentaly or intentionally, and the stuff hits the fan but when a truly dangerous exploit/vulnerabilty is proven to exist in tens of million of PC's/routers hardly anyone has anything to say on the matter, guess we all need a big "evil" name to blame these days
Gibson research have been banging on about uPnP years on their website for years. I'm surprised the US government (of all people) has taken this long to realise its potential security thread.
Yes they have I forgot to mention that when I recommended a port check at Shields Up which I have been using/reading for years
I'm amused that the "security threat" boils down to "the internet works like it's actually supposed to again."
NAT is not a security feature, it was never intended AS a security feature, and the "security" it provides is an unintentional side-effect of broken basic functionality.
Separate names with a comma.