UPnP Flaw Leaves Millions of Networked Devices Vulnerable to Attack

16

Comments

+ Add a Comment
avatar

Chumly

Steve Gibson, the guy from a decade ago and old news, is talking about it now at http://live.twit.tv/.

You can look up GRC and the "Security Now" episode there too bringing it back up. But it's not old news. Ya'll are being so dismissive. If you acknowledge "it has gaping flaws", why are 81 million devices responding to a possible exploit?

Since this was posted and those that tested at GRC/Shields up, 1,400+ were open. Gibson/GRC also reports 22 probes are out there scanning just for this. Good or bad? Don't know...

avatar

Xiinc37

There's people who actually use this? Why not just set a WPA2 password like normal and call it good?

avatar

compguytracy

scan tool almost looks like malware, collects personal data before it will run, and does not give a solution on how to fix any problems, this piece of foistware is unusable in its current form. Boo MPC, Boo.

avatar

Danthrax66

I was under the impression that it was affiliated with metasploit which is used for professional penetration testing of networks. You can fill in bullshit information and it still runs.

avatar

aangen

That was a load of crap. Poor job Lily.

avatar

noobstix

The "program" itself looks like some rogue AV P.O.S.

avatar

raymondcarver

Nope. Not going to do it.

Never heard of this company.

ALSO:
.... There's no good reason ANYONE should use a "security-checker" that requires Java.

avatar

markstrelecki

You gotta be kidding me....

I gotta install a seriously insecure POS just to scan my system for insecurities?

Paul, this is the last straw, man.

I am OUT of your fan club.

avatar

Paul_Lilly

Nooo

avatar

Bam-Bam

In reading this story I'm being led to believe that there are millions of vulnerable IP's out there due to this UpnP flaw. Thus, enter Rapid7 to the rescue as our knight in shining armor to save us mere mortals from ourselves. Just simply download and install their free Scanning tool. I do. I run the installer. Then . . . we so sorry, you must run Java to use our tool!

After all the heartache that we just went through to completely rid ourselves of JAVA across our entire network (as per virtually every security-experts advice on the planet) -- now, along comes Rapid7 and requires that we install a known vulnerable security-risk on our computers just so their software can scan our networks for "security vulnerabilities?"

You have to be kidding, right?

No way, Josie! Quickly deleted and moving on . . . Thanks, anyway.

avatar

Joe The Plummer

That ScanNow tool requires you give them your name, your companies name, your companies annual revenue figure, your second born child so that tool is useless.

avatar

Opm2

Nothing is preventing you from using fake info.

avatar

DoctorX

nice

avatar

DoctorX

old news... move along.. there is nothing to see here. Never enable upnp on your router.

avatar

ThomasLG

That UPnP has gaping flaws isn't news: http://www.grc.com/unpnp/unpnp.htm

This was posted over a decade ago. I haven't looked into the details of this latest exploit, but the fact that it exists doesn't surprise me.

avatar

aaronj2906

No kidding. They probably discovered this on their best workstation... ya know.. the one running a blistering-fast slot 1 P3 733. :)

Log in to MaximumPC directly or log in using Facebook

Forgot your username or password?
Click here for help.

Login with Facebook
Log in using Facebook to share comments and articles easily with your Facebook feed.