Millions Of Phones, Routers And Smart TVs Vulnerable To Old Unpatched Security Hole

Security researchers thought that we were all rid of a pesky vulnerability that was initially patched over three years ago. The exploit takes advantage of code lurking within the “libupnp” library, which is included in the Portable SDK for UPnP Devices used for DLNA media playback.

However, some lax vendors have failed to include newer versions of the SDK with an updated version of libupnp, leaving millions of devices that we use everyday exposed -- 6.1 million devices to be exact, including smartphones, routers and smart TVs.

In addition to hardware vendors, it’s also been discovered that 547 apps use the outdated version of libupnp. Amazingly, over half, 326 apps, are available via the Google Play Store. Some of the most high-profile apps that were until recently still using the older version of libupnp include Netflix, the popular streaming app, and QQMusic, an app used by over 100 million Chinese users. QQMusic uses version of 1.6.17 of the SDK, which dates back to April 2012, while Netflix is using an even older version (1.6.13).

libupnp smart tv
One Smart TV susceptible to the libupnp exploit (Source: Trend Micro)

What makes libupnp so troubling is that a stack overflow can be invoked using Simple Service Discovery Protocol (SSDP) packets. Buffer overflows can then be used to cause an actual crash, but that’s not all that can be accomplished by someone skilled enough to take advantage of the exploit.

“With further research an exploit could be used not just to cause a crash, but to run arbitrary code on an affected device,” said Veo Zhang of Trend Micro. “The ability to run arbitrary code would give the attacker the ability to take control of the device, as on a PC.”

While smartphone OEMs (and more specifically, U.S. carriers that often pull the strings when it comes to software updates) don’t exactly have the best track record when it comes to updating devices, researchers are most worried about routers and smart TVs, which are often updated an even more sporadic schedule. 

After being contacted about the vulnerabilities by Trend Micro, QQMusic developer Tencent acknowledged and released a fix for the exploit in its Android app. Likewise, the Linphone SDK has also been patched to address the outdated library. Given the press that this issue is now receiving, we have the feeling that other app developers and OEM manufacturers are going to start issuing updates as well.