The explosion of smart devices, including connected refrigerators, home automation systems, smart TVs, medical monitors, and other random household devices that have online access, has created a whole new layer of machines called the Internet of Things (IoT). These devices make life convenient, and they help manufacturers gather petabytes of useful data. They also create a Wild West free-for-all for cyberattackers.
How SSDP Enables DDoS Attacks
SSDP is part of the Universal Plug-and-Play (UPnP) protocol, which was created primarily for residential or small business uses. All kinds of devices connect via SSDP including computers, mobile devices, cable modems, Internet gateways, Wi-Fi access points, gaming consoles, and smart devices. Devices using SSDP discover one another in two different ways:
- M-search.When a network control point needs to find devices on the network, it multicasts via reserved port and address using a search pattern equivalent to the type of device it wants to find.
- Notify. When devices announce their presence on a network, they send out a Notify to make themselves discoverable by the control point.
Reflection and Amplification
The Simple Object Access Protocol (SOAP) is a protocol that delivers information and control messages to UPnP devices. Attackers can craft SOAP requests to carry out reflection and amplification DDoS attacks. These attacks work in the following ways:
- Reflection. Reflection DDoS attacks take advantage of a weak authentication system. An attacker attempts to connect to one target device, and the device sends back a security challenge. The attacker then sends the security challenge to a second device, which responds with the right authentication response. This authentication response is send to the first device, which lets the attacker connect to the original device.
- Amplification. An attacker sends a query to a target device. The server returns an answer that is larger than the original request.
For reflection and amplification to work together, the attacker needs to gain control of devices through reflection and then use amplification to increase traffic volume on a server. For example, if the attacker gains access to your smart TV using reflection, your TV could query a target server, such as a server at a bank. The bank’s server would send back a larger response to your TV, which would consume its resources.
Now, imagine hundreds of thousands of TVs and other smart devices, which the attacker controls thanks to reflection, bombarding the bank server with queries. The server could be disabled by the sheer volume of requests.
How to Protect Smart Devices
- Consumers. Consumers can disable UPnP on their routers and also on any public-facing smart devices.
- Manufacturers. Manufacturers should make firmware updates that properly configure the SSDP/UPnP client along with routing/firewall rules. Also, firmware updates should the UPnP to the LAN.
- Organizations. Experts say that most attack traffic from smart devices comes through Port 1900. They recommend blocking all Port 1900 UDP traffic as long as the network can accommodate the added bandwidth.
As they invent and deploy new IoT devices, manufacturers must make security just as important as functionality. When millions of consumers purchase a single kind of smart TV, and that TV is left open to compromise, the fallout hurts not only consumers but also unleashes DDoS attacks against all kinds of enterprises.