Slashdot Mirror

← Back to Stories (view on slashdot.org)

A 100,000-Router Botnet Is Feeding On a 5-Year-Old UPnP Bug In Broadcom Chips (arstechnica.com)

Posted by BeauHD on from the universal-plug-and-play dept.

An anonymous reader quotes a report from Ars Technica: A recently discovered botnet has taken control of an eye-popping 100,000 home and small-office routers made from a range of manufacturers, mainly by exploiting a critical vulnerability that has remained unaddressed on infected devices more than five years after it came to light. Researchers from Netlab 360, who reported the mass infection late last week, have dubbed the botnet BCMUPnP_Hunter. The name is a reference to a buggy implementation of the Universal Plug and Play protocol built into Broadcom chipsets used in vulnerable devices. An advisory released in January 2013 warned that the critical flaw affected routers from a raft of manufacturers, including Broadcom, Asus, Cisco, TP-Link, Zyxel, D-Link, Netgear, and US Robotics. The finding from Netlab 360 suggests that many vulnerable devices were allowed to run without ever being patched or locked down through other means. Last week's report documents 116 different types of devices that make up the botnet from a diverse group of manufacturers. Once under the attackers' control, the routers connect to a variety of well-known email services. This is a strong indication that the infected devices are being used to send spam or other types of malicious mail.

39 comments

  1. In other news... by Anonymous Coward · · Score: 0

    In other news, water is wet.

    Unless you want to follow that up with an article about a major ISP trying to pawn vulnerabilities in its own hardware off on its consumers, it isn't news.

    1. Re: In other news... by Anonymous Coward · · Score: 0

      Why do they call it universal? Itâ(TM)s never truly universal. Sure, a major brand supports it and it seems universal. Sometimes you spend an inordinate amount of time trying to cancel the pnp wizard so you can just download drivers. Up to half of my device have zero support from pnp but the rest work as advertised. I feel bad for the average user who may not figure it out. A little expertise goes a long way. As far as botnets go, I seriously doubt they counted right. That net could be anywhere. The fixation on hacking with bots too shrill. A good router will keep all the nasty stuff away better than any antivirus even though they can seem pricy

    2. Re: In other news... by Z00L00K · · Score: 1

      The only way to use UPnP - turn it off! It's a security hole the size of Grand Canyon.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    3. Re: In other news... by shaitand · · Score: 2

      In case you aren't joking, upnp is "Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other's presence on the network and establish functional network services"

      It is completely different from plug and play discover of devices within your machine. It is basically a protocol that lets malware, worms, etc forward ports for themselves in your router. The entire protocol is a massive security bug implemented across pretty much all consumer routers because of a combination of software vendors not bothering to document needed ports, being too lazy to actually maintain consistency and a small footprint on ports, and people being too dumb to educate themselves on how to open ports.

      Sadly, many console gaming systems just assume you are running it and play fast and loose on ports, requiring people to run completely unsecured or not fully enjoy their console.

      For those of us who don't game, the choice has always been simple, just say no to upnp.

  2. Is mine one of them? by Anonymous Coward · · Score: 0

    How can I know if my router is one of them?

    1. Re: Is mine one of them? by Anonymous Coward · · Score: 0

      Email the manufacturer

    2. Re:Is mine one of them? by ledow · · Score: 5, Insightful

      A) Do you have UPnP enabled.
      B) If yes, turn it off.

      UPnP is an *UTTERLY UNNECESSARY* service (speaking as an IT Manager, gamer, and someone who hosts gaming servers etc.), that when exposed to the Internet allows ANY local device to forward ANY network port to ANY IP/port combination with NO authentication whatsoever.

      Even privileged ports and local ports.

      I can literally redirect your port 139 (e.g. CIFS/SMB) to a host on the Internet if I wanted, or open command/control ports and punch holes through your firewall wherever I want.

      All this is is a UPnP flaw that allows you to do the same remotely, but literally any device on your local network can already do it without any logs, authentication, or notification that they are doing so (e.g. your ChromeCast / laptop / Amazon Echo / Nest doorbell could be opening up your telnet port and sending it to themselves once every hour, and you'd pretty much never know anything about it).

      Turn it off. Watch how nothing changes and all your systems still work as intended.

      And, if you absolutely, 100% must host servers on your own connection (not just "play games" but literally host servers with no matchmaking servers present) then you add a single port-forward yourself and job-done.

      P.S. No, this does not affect local device discovery, etc. so your Chromecast etc. will still work perfectly fine on your home network anyway.

      Case in point: I've never had UPnP turned on on anything, I have 1000 Steam games that play just fine, plus ChromeCasts and all kinds of kit. Not a single problem.

    3. Re:Is mine one of them? by Woldscum · · Score: 1

      Quite a few wireless inkjet printers need it and WPS to connect to a network. Cannons for instance.

    4. Re: Is mine one of them? by coastwalker · · Score: 2

      The list is copied to the comments on the first Ars link in the article. https://arstechnica.com/inform...

      The source is said to be a pdf on the Netlab 360 site which is currently very slow to respond.

      A copy of the list will not post here because it is too few characters per line to get past the spam checker.

      --
      Facts are history now plebs have politics for religion on social media.
    5. Re:Is mine one of them? by gweihir · · Score: 3

      Also, UPnP is just another extreme fuckup by Microsoft.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    6. Re:Is mine one of them? by ledow · · Score: 1, Troll

      No.

      They don't.

      And if they do, stop buying them.

      But they don't.

      Literally, it's "auto-port-forwarding". Any printer that NEEDS that, you don't want. Not even Google Cloud Print requires that.

      WPS is entirely unrelated.
      UPnP "Discovery" over the local network is entirely unrelated (and not affected by turning off UPnP on the router) - that's the only mention of UPnP that I can find on any of Canon's sites... they are talking about allowing UPnP through the software firewall on a client machine so it can talk over the local network - NOT on the router at all.

    7. Re:Is mine one of them? by drinkypoo · · Score: 1

      "Case in point: I've never had UPnP turned on on anything, I have 1000 Steam games that play just fine, plus ChromeCasts and all kinds of kit. Not a single problem."

      This is probably true today. Games are now designed to work without it. However, back when upnp was introduced it was the only reasonable way for non-network admins to get a hole through their firewall. And yes, it was necessary just to play online, not only for hosting.

      As an it manager, you probably ought to know this already. Some legacy software won't work without it.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    8. Re: Is mine one of them? by BringsApples · · Score: 1

      Routers with vulnerable Broadcom UPnP stack are mostly based on Broadcom chipset. You can check how many manufacturers use Broadcom chipset here (search for Broadcom, brcm or bcm).

      --
      Politics; n. : A religion whereby man is god.
    9. Re: Is mine one of them? by Anonymous Coward · · Score: 0

      Root cause appears to be string handling. A 5 minute fix that should have also go caught by code audits. Now Broadcom also have stuff in Android and mobile phones. Like Cisco, a reason to shun their offerings as 'professional' is not a goal. I can see why Google and Facebook make their own routers.

    10. Re: Is mine one of them? by Anonymous Coward · · Score: 0

      Yeah.. the same "routers" that got popped through poisoned BGP updates and redirected to China, Russia and Nigeria over the weekend?

      Read a little more next time.. FB, Google and AWS built their own whitebox ToR switches, not routers.

    11. Re: Is mine one of them? by Anonymous Coward · · Score: 0

      Ffs.

      You do realise most attacks these days don't need ports open to work.

      Its really not as much a security risk as people claim honestly

    12. Re:Is mine one of them? by Anonymous Coward · · Score: 0

      I was very unhappy to discover this. The drivers won't even allow you to configure network settings manually. I ended up turning it on long enough to get the printer set up and then turned all that crap off and the printer continues working....

  3. Surprise by Anonymous Coward · · Score: 0

    Suprise !

    =insert maniacal laughter here=

  4. I'm safe by Anonymous Coward · · Score: 0

    My router is so old nobody has the instruction manual for it anymore.

    1. Re:I'm safe by Anonymous Coward · · Score: 0

      Two soup cans and some twine? It's important to keep the data pipeline tensioned on those, otherwise you get low SNR and packet loss.

    2. Re:I'm safe by Anonymous Coward · · Score: 0

      Nobody keeps instruction manuals for networking equipment, those are always available as PDFs from the vendor. Surely no still functioning Internet equipment is too old for that?

  5. Broadcome responds to the news. by 140Mandak262Jamuna · · Score: 4, Funny
    Spokesman for Broadcom, Corpor Atethief has responded to these news reports:

    "The botnet is run by criminals and instead of blaming the criminals, and the ineptitude of the law enforcement, the narrative has been to attack the job creators and the legitimate businesses. Broadcom has created thousands of jobs and has created millions of dollars for its shareholders. It would be really unfortunate if such stellar corporate performance is undone due to onerous job killing regulations by the Washington bureaucrats. We call for the government to catch the criminals and bring them to justice.

    We also take this time to announce our new great business venture. We are getting into home building. We hope to make homes more affordable by removing useless things like locks and latches. They interfere with the aesthetics of the homes without significantly adding to the comfort and the utility of the home. Being the job creators, we implore the municipalities to do their job of law enforcement, so that we dont need these locks and latches and other security devices. As a publicly traded company, it is our mission to use other people's money to make huge load of profits, take as much as possible as executive compensation, throw some bones to the wall street and externalize as much of our costs as possible, because we are job creators."

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Broadcome responds to the news. by Anonymous Coward · · Score: 0

      Thats some funny shit right there Jamuna.
      Bravo!

    2. Re:Broadcome responds to the news. by Anonymous Coward · · Score: 0

      Most household door locks are like household router firewalls. They're just enough to keep the kids from running in and turning tables over but you turn any serious threat against them and they'll fail every time.

    3. Re:Broadcome responds to the news. by Anonymous Coward · · Score: 0

      Silence pinko, your sarcasm hold no real content. You neither make a case nor disprove one, you are the egg whites of posts. All filler no calories.

  6. re: inkjet printers by King_TJ · · Score: 1

    Quite frankly, the inexpensive consumer-grade inkjet printers do a generally awful job of networking, across the board.

    One of the big issues I've encountered is that almost all of the wi-fi enabled printers still only support the 2.4Ghz band, which tends to become very crowded with SSIDs if you're in a multi-story office or apartment complex. So not only can you struggle to get a wireless frequency that's usable and reliable, but often, the number of SSIDs exceeds the memory allocated to display them in a scrolling list on the printer's front panel! I've had HP DeskJet printers that would only let you select your own wireless SSID one out of every 2 or 3 times you did a scan for them, because there were too many in the list and it truncated a bunch of them.

    I'm not sure why a wireless printer would require uPnP support enabled on a router though? As far as I've ever seen, the uPnP thing on the router only exists as an attempt to automate the process of opening firewall ports for applications that require them. With it disabled, you should still be able to get anything to work on your LAN by finding out what ports it actually uses to communicate with the outside world and manually port forwarding them to those devices, in your router.

    (Disabling it doesn't stop your devices on your local network from doing automatic searches or scans. So for example, a printer driver should be able to auto-detect a new inkjet printer you connected to your LAN by probing for its MAC address, regardless of uPnP being enabled.)

  7. One of the reasons why I switched to Ubiquity by Anonymous Coward · · Score: 0

    2 years ago I switch my home network to ubiquity. So far.. no problems.

    1. Re:One of the reasons why I switched to Ubiquity by Anonymous Coward · · Score: 0

      Same here. Between UNMS and Unifi, it's easy to keep all the firmware current and the performance is much better than your average consumer kit.

    2. Re:One of the reasons why I switched to Ubiquity by aitikin · · Score: 1

      Did they finally get in compliance with the GPL? I don't remember hearing about it/following the story recently, but I recall that being a sticking point the last time I was looking at routers as they had been...obfuscating it for a while.

      --
      "Don't meddle in the affairs of a patent dragon, for thou art tasty and good with ketchup." ~ohcrapitssteve
  8. Re: inkjet printers by Anonymous Coward · · Score: 0

    To support printing from mobile devices while away from home. Lets you print while on the go and grab it off your printer when you return home

  9. You plug and pray protocol by foxalopex · · Score: 3, Informative

    uPnP is almost useless in that it automatically allows your OS that supports it to crack a hole into the real world right through your NAT firewall. I've always disabled it because it sounds like a security risk and ontop of that in many cases it was pretty buggy.

  10. Re: inkjet printers by Anonymous Coward · · Score: 0

    To support printing from mobile devices while away from home. Lets you print while on the go and grab it off your printer when you return home

    You are willing to expose yourself to a serious security hole because you are unwilling to wait 5 minutes inside your own home for something to print?

    How selfishly "I WANT IT NOW!" can you get?

  11. Old news. Right? by Anonymous Coward · · Score: 0

    This is old news. Right? I've been disabling this function on every router I've owned since reading that it is a security risk in 2008 or 2009.

  12. Not a bug in "Broadcom Chips" by RoadKill · · Score: 1

    Read the security report carefully. This is *not* a bug in "Broadcom chips". It is a bug that exists in an open-source package (miniupnp) that was used by certain vendors for their wireless routers. Please fight the FUD.

    1. Re:Not a bug in "Broadcom Chips" by RoadKill · · Score: 1

      Sorry correction the bug is /not present/ in miniupnp but in a different implementation of that protocol. But it's a lot different to say "it's a but in a chipset" instead of "a software bug".

  13. Re: inkjet printers by Anonymous Coward · · Score: 0

    I don't worry about that cause i use google print services which doesn't do this lame UPnP bullshit. It creates a tunnel out to google's print services, your mobile device then connects to google's print services and pushes the print job though the tunnel.

    And yes this kind of stuff does come in handy sometimes. Lets say you're mobile and purchase something and want a hard copy receipt or a printed ticket. You may or may not be able to go back at a later time and bring up that page to print it out. But with these mobile print services you just hit print, your job fires off though the internet back to your printer at home and your hard copy awaits your return be it hours or days later.

    Yes of course you have to trust that your print job is passing though googles services, if you want to accept that, its up to you. But google's print services are just about the only way to get seamless OS wide printing on Android. You cannot map SMB shared printers to an android device, whats more such a setup would also require you to establish a VPN connection back to your home to talk to the SMB shared printer, something the average joe doesn't have the knowledge or care to do.

  14. Default UPnP ports service by Anonymous Coward · · Score: 0

    I transfered residence 3 years ago and naturally applied for a new Fibre connection, was suprised when I discovered that the new router freely supplied by the ISP had so many opened ports including UPnP port. I emailed my ISP on why this is open by default and how I can close it because there's no kill command on the shell console of the router, the usual answer is that this is beyond the job of the technician and I need to contact the programmers who built the router. The company who built this router is on the same region but different country. What's the best course of action now, whith this new UPnP issue popped up in tech news sites. I can probably buy a new router but there seems to be some hard coded keys and router MAC address which is related to my current ISP subscription.