CATEGORIES
home News

Millions Of Phones, Routers And Smart TVs Vulnerable To Old Unpatched Security Hole

by Brandon HillFriday, December 04, 2015, 04:00 PM EDT

Security researchers thought that we were all rid of a pesky vulnerability that was initially patched over three years ago. The exploit takes advantage of code lurking within the “libupnp” library, which is included in the Portable SDK for UPnP Devices used for DLNA media playback.

However, some lax vendors have failed to include newer versions of the SDK with an updated version of libupnp, leaving millions of devices that we use everyday exposed -- 6.1 million devices to be exact, including smartphones, routers and smart TVs.

In addition to hardware vendors, it’s also been discovered that 547 apps use the outdated version of libupnp. Amazingly, over half, 326 apps, are available via the Google Play Store. Some of the most high-profile apps that were until recently still using the older version of libupnp include Netflix, the popular streaming app, and QQMusic, an app used by over 100 million Chinese users. QQMusic uses version of 1.6.17 of the SDK, which dates back to April 2012, while Netflix is using an even older version (1.6.13).

libupnp smart tv
One Smart TV susceptible to the libupnp exploit (Source: Trend Micro)

What makes libupnp so troubling is that a stack overflow can be invoked using Simple Service Discovery Protocol (SSDP) packets. Buffer overflows can then be used to cause an actual crash, but that’s not all that can be accomplished by someone skilled enough to take advantage of the exploit.

“With further research an exploit could be used not just to cause a crash, but to run arbitrary code on an affected device,” said Veo Zhang of Trend Micro. “The ability to run arbitrary code would give the attacker the ability to take control of the device, as on a PC.”

While smartphone OEMs (and more specifically, U.S. carriers that often pull the strings when it comes to software updates) don’t exactly have the best track record when it comes to updating devices, researchers are most worried about routers and smart TVs, which are often updated an even more sporadic schedule. 

After being contacted about the vulnerabilities by Trend Micro, QQMusic developer Tencent acknowledged and released a fix for the exploit in its Android app. Likewise, the Linphone SDK has also been patched to address the outdated library. Given the press that this issue is now receiving, we have the feeling that other app developers and OEM manufacturers are going to start issuing updates as well.

Tags:  Android, SDK, exploit, libupnp, portable sdk for upnp devices
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment