Millions Of Phones, Routers And Smart TVs Vulnerable To Old Unpatched Security Hole

by Brandon Hill — Friday, December 04, 2015, 04:00 PM EDT

Security researchers thought that we were all rid of a pesky vulnerability that was initially patched over three years ago. The exploit takes advantage of code lurking within the “libupnp” library, which is included in the Portable SDK for UPnP Devices used for DLNA media playback.

However, some lax vendors have failed to include newer versions of the SDK with an updated version of libupnp, leaving millions of devices that we use everyday exposed -- 6.1 million devices to be exact, including smartphones, routers and smart TVs.

In addition to hardware vendors, it’s also been discovered that 547 apps use the outdated version of libupnp. Amazingly, over half, 326 apps, are available via the Google Play Store. Some of the most high-profile apps that were until recently still using the older version of libupnp include Netflix, the popular streaming app, and QQMusic, an app used by over 100 million Chinese users. QQMusic uses version of 1.6.17 of the SDK, which dates back to April 2012, while Netflix is using an even older version (1.6.13).

One Smart TV susceptible to the libupnp exploit (Source: Trend Micro)

What makes libupnp so troubling is that a stack overflow can be invoked using Simple Service Discovery Protocol (SSDP) packets. Buffer overflows can then be used to cause an actual crash, but that’s not all that can be accomplished by someone skilled enough to take advantage of the exploit.

“With further research an exploit could be used not just to cause a crash, but to run arbitrary code on an affected device,” said Veo Zhang of Trend Micro. “The ability to run arbitrary code would give the attacker the ability to take control of the device, as on a PC.”

While smartphone OEMs (and more specifically, U.S. carriers that often pull the strings when it comes to software updates) don’t exactly have the best track record when it comes to updating devices, researchers are most worried about routers and smart TVs, which are often updated an even more sporadic schedule.

After being contacted about the vulnerabilities by Trend Micro, QQMusic developer Tencent acknowledged and released a fix for the exploit in its Android app. Likewise, the Linphone SDK has also been patched to address the outdated library. Given the press that this issue is now receiving, we have the feeling that other app developers and OEM manufacturers are going to start issuing updates as well.

Tags: Android, SDK, exploit, libupnp, portable sdk for upnp devices

Brandon Hill

Brandon received his first PC, an IBM Aptiva 310, in 1994 and hasn’t looked back since. He cut his teeth on computer building/repair working at a mom and pop computer shop as a plucky teen in the mid 90s and went on to join AnandTech as the Senior News Editor in 1999. Brandon would later help to form DailyTech where he served as Editor-in-Chief from 2008 until 2014. Brandon is a tech geek at heart, and family members always know where to turn when they need free tech support. When he isn’t writing about the tech hardware or studying up on the latest in mobile gadgets, you’ll find him browsing forums that cater to his long-running passion: automobiles.

Opinions and content posted by HotHardware contributors are their own.

Which New GPU Is For You?

Stay updated with the latest news and updates. Subscribe to our newsletter!

Subscribe Now