UPnP unplug and pray? HD Moore the court is in session!

Matthew Hackling

Matthew has over ten years experience operating solely in the area of information security, holds a Bachelors degree in security management from ECU and is also a CISSP. He is a former Account Director in Deloitte’s Security & Privacy Services practice. Matthew has led security testing teams on assessments of large core systems replacement projects for banking institutions. He operates more in the area of information security governance these days, despite his urges still stay a bit technical. Hence he plays with backtrack linux, metasploit and new web application security assessment tools in his rare free time. Currently he runs his own consultancy called Ronin Security Consulting and holds the title of General Manager of Security Testing at Enex TestLab. He is an active member of the Australian Information Security Association, and held the office of Melbourne Branch Executive for a number of years. Matt’s security blog is called Infamous Agenda and he is an active twitter user with the handle @mhackling

I’ve been thinking about how the HD Moore managed the UPnP issue. How do you think the court of public opinion will judge it?

Imagine this:

Judge: Welcome to the court of public opinion for this hearing on whether responsible disclosure practices were undertaken during the release of a white paper on UPnP vulnerabilities. First, we shall hear from the plaintiff.

Plaintiff: HD Moore you are brought here for the crimes of grep'ing open source code, hyping years old vulnerabilities in software to shill commercial vulnerability assessment software and not conducting a coordinated disclosure and fix campaign like Saint Dan Kaminsky with that DNS bug. A fix was only released for one of the SDK's on the 29/1/2013 the day of the blog post announcing the research and there are still fixes pending for other reported issues. This sets the scene for a similar incident such as the SQL Slammer worm, with attackers reverse engineering the source code and developing an exploit. We call for scorn and derision.

Judge: Some fair points, over to the council for the defendant.

Defendant: Your honour, HD Moore has brought much needed attention to a critical vulnerability affecting home users and small businesses not able to afford access to top notch security researchers. He has helped arrange a fix with the developer of the vulnerable software development kit before release of the research. His employer has provided free software for identifying the vulnerability, a web page for checking if your internet router is vulnerable, and hence not ransoming organisations to require them to buy his vulnerability assessment software. He can't be expected to liaise with the hundreds of consumer hardware manufacturers utilising open source software, some of which don't even speak his language. He has sat on these vulnerabilities with one vendor since 2008. In summation HD's a good Samaritan. You shouldn’t persecute him.

Judge: My judgement is that HD Moore, you have jumped the gun on the release of this research.

1. Check your router for UPnP Vulnerability - http://upnp-check.rapid7.com/ 2. UPnP vulnerability whitepaper available at: https://community.rapid7.com/servlet/JiveServlet/download/2150-1-16596/SecurityFlawsUPnP.pdf 3. libupnp project http://pupnp.sourceforge.net/ 4. miniUPnP project http://miniupnp.free.fr/

Tags: Moore, HD, UPnP

Show Comments