Manufacturers are being blamed for the security risks customers face from major flaws in the implementation of the UPnP standard that leaves tens of millions of network-enabled devices open to cyberattacks.
Security vendor Rapid7, which released a white paper on the vulnerabilities on Tuesday, says manufacturers do a miserable job at releasing timely firmware updates to fix security problems. Manufacturers whose products are affected by the UPnP vulnerabilities include Cisco-owned Linksys, Netgear, Belkin and D-Link.
[ Also on InfoWorld: UPnP flaws expose tens of millions of networked devices to remote attacks. | Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
"You have to keep in mind their business model. These are companies that make their money by every six months based on shipping their next round of devices," said HD Moore, chief security officer for Rapid7. "After two or three years from the first time they launched the device, it's really not worth the time or effort to maintain firmware updates for it."
Netgear declined to comment, while Belkin and D-Link did not respond to emails. Linksys said it was aware of the problem and advised customers to go to its website to find out whether their home router was affected and to learn hot to disable UPnP.
UPnP is a set of networking protocols that permits many consumer electronics to discover each other on a network. At that point, the devices can establish network services for data sharing, communication, media streaming and media playback control.
The protocols are designed for use in closed home networks. However, a misconfiguration of the UPnP protocol exposed many wireless routers, printers, media servers, IP cameras and smart TVs to cyberattacks, Rapid7 said.
A scan of the Internet from June to November last year found more than 80 million devices that responded to UPnP discovery requests, Rapid7 said. Tens of millions of the devices were susceptible to cyberattack as a result of any one of several vulnerabilities.
[In depth: Seven dealy sins of home office security]
In general, device manufacturers change hardware in products whenever they find cheaper components. At the same time, they only support product configurations that they are currently shipping, Moore said. As a result, products seldom get maintenance support for longer than one or two years, leaving it up to users to search for firmware updates, if they are even available.
"For the most part, once the device has been out there for a year or two, the vendor stops maintaining it, with some exception for devices that are more popular than others," Moore said. "I was talking to a vendor yesterday that said, 'If we're not shipping it; we're not supporting it.'"