When were UPnP and SSDP mainstream?

Universal Plug and Play (UPnP) was considered revolutionary when it was launched 19 years ago in 2000 with the Windows Millennium Edition. It was compromised by the expectation that’ smart’ devices would be automatically identified in the home and the workplace using a Windows PC. It was the age of pre-IoT, when technology and people were just starting to re-imagine how ordinary household devices would interact online. This is when Microsoft considered the idea of creating a special SSDP Discovery Service in Windows, and added it to the Windows Millennium Edition’s aging DOS-based code.

Not only was it a lackluster nightmare, as Windows became more vulnerable to cyberattacks, since SSDP and the Windows built-in UPnP system are just another attack area on the Microsoft operating system.

UPnP has been introduced in the NT-based Windows branch with Windows 2000, which continues to this day. Unless the client expressly disables Services.msc, the SSPD service carrying the UPnP function will be disabled by default.

ssdp

What other uses does the SSDP service involve?

SSDP is also used for low-cost network-compatible devices introduced in general families, which are not necessarily familiar with the technology, making the devices unsuitable or leaving as allowed. Especially gaming devices such as PlayStation detect if the network is supported by UPnP and configure automatically without manual human intervention.

So whether or not the local network has a connected UPnP device, the service is exposed to and listens to the network. Cyber criminals who scan the Internet for Windows PCs with exposed UPnP service can take advantage of it. The vulnerability is true, as a stack such as UPnP requires constant patching without upgrading the code. An open UPnP port without a UPnP hardware opens up someone without sufficient knowledge to carry out an SSDP DDoS attack without the ability of the user to detect the activity.

Why is SSDP vulnerable?

One such attack against UPnP is a SSDP DDoS attack by reflecting is an exploit that loads by sending an investigation which disguises an attack aim as a source of transmission to the device and sends the response back to the attack target. When SSDP returns a response about 30 times the size of the inquiry, it is more efficient to send a large number of data to the target, rather than directly to targets through the misuse of corresponding devices. The majority of attacks are from port 1900 used by SSDP, and clever threat from a randomized port was used by actors with malicious payloads. The black-list is extremely difficult for attacks from irregular port numbers; system administrators need to figure out which port to block and which port to allow out of over 65,000 ports.

What can be done to avoid compromising?

If the LAN has a PlayStation or Xbox connected to the manual setup, disable the SSDP service from Windows and the network. It’s not easy to configure port forwarding, but it’s not rocket science either. Anyone who wants to know how to set up network devices without UPnP can do so, because the internet provides various guides on how to change port forwarding. PlayStation and Xbox can be made harder by protection as opposed to UPnP, because port forwarding settings are set in the home router, so configuration difficulty must only occur once.

Categorized in: