News and Reviews....

Flash Attack Could Take Over .....    January 2008

Bob Lieto

    An interesting report came across my desk today. It troubled me in that it lead me to believe that the new, Digital Plug and Play concept may be at great risk. Now, you don't have to convince me, personally, for I was skeptic of this very thing, when I was approached to come on board to a new and improved way to design a whole home A/V System, way back in 2004. I didn't buy it then for the reasons I am about to tell you about.

    It seems that certain security researchers have released code showing how a pair of wildly used technologies could be misused to take control of a victim's Web browsing experience. The code published over the January 15th weekend showed how, The Universal Plug and Play and the Adobe Systems' Flash multimedia software can be used against its user. The Universal Plug and Play (UPnP) protocol is used by many operating systems to make it easier for devices to work together on the network. Adobe Systems' Flash is used to store downloaded data for viewing.

By tricking a victim into viewing a malicious Flash File, an attacker could then use the UPnP to change the primary DNS (Domain Name System) server used by the router to find other computers on the Internet. This would give the attacker a virtually undetectable way to redirect the victim to fake Web sites. For example, a victim with a compromised router could be taken to the attacker's Web server, even if he typed Citibank.com directly into the Web browser navigation bar. It was said that the most malicious of all malicious things is to change the primary DNS server. That will effectively turn the router and the network it controls into a zombie which the attacker can take advantage of whenever they feel like it. Because so many routers support UPnP devices, researchers believe that 99% of home routers are vulnerable to this attack. Other devices such as printers, DIGITAL ENTERTAINMENT SYSTEMS, IP CCTV Cameras are potentially at risk. Check the web site of these devices and you will probable notice a "Frequently Asked Questions" page that will probably address this very issue.

    The attack is very different because it is a cross-platform attack, any operating system that supports Flash is susceptible, and because it is based on the features of UPnP and Flash, not bugs that could be easily fixed by Adobe or the router vendor. Users could avoid this attack by turning off UPnP on their router, where it is normally enabled by default. This will cause a variety of popular applications, such as IM (instant Message) software, games and Skype, to break and require manual configuration on the router. Adobe could make changes to Flash to mitigate the problem, but attackers could most likely also launch this attack using another technique known as DNS pinning. 

    This is a critical issue as described by the experts and they recommend that people turn off UPnp in their devices and vendors should make UPnP disabled by default. This might make life difficult for non-technical users but would be worth the effort.

Another researcher said that turning off UPnP would be overkill, considering that online criminals have not even begun using this attack. Basically...If you get hit by a meteor its devastating, but no one goes around building meteor shelters.