[Cryptography] [FORGED] Will We Ever Learn?
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Tue Apr 10 00:56:25 EDT 2018
Aram Perez <aramperez at mac.com> writes:
>it has observed attackers actively exploiting a flaw in devices like routers
>and video game consoles that was originally exposed in 2006.
I would say UPnP has been flawed since the early 1990s, in that the entire
protocol is a security flaw. Its sole security "feature" is that it relies on
UDP and you can't do that from Javascript in a browser, but otherwise anything
on your network that can talk UDP (for example a random app on your phone) has
complete control of a UPnP device. Having a router suddenly open up ports to
sites in China when you plug in a webcam, as normal functioning of the UPnP
protocol, is something that really shouldn't be happening.
Peter.
More information about the cryptography
mailing list