Serious, Yet Patched Flaw Exposes 6.1 Million IoT, Mobile Devices to Remote Code Execution

2015-12-04T22:18:00
ID THN:DC0DE4EAF5812006A8E6941769C89CEB
Type thn
Reporter Swati Khandelwal
Modified 2015-12-05T09:18:02

Description

Serious Security Flaw Exposes 6.1 Million IoT, Mobile Devices to Remote Code Execution

As much as you protect your electronics from being hacked, hackers are clever enough at finding new ways to get into your devices. But, you would hope that once a flaw discovered it would at least be fixed in few days or weeks, but that's not always the case.

A three-year-old security vulnerability within a software component used by more than 6.1 Million smart devices still remains unpatched by many vendors, thereby placing Smart TVs, Routers, Smartphones, and other Internet of Things (IoT) products at risk of exploit.

Security researchers at Trend Micro have brought the flaw to light that has been known since 2012 but has not been patched yet.

Remote Code Execution Vulnerabilities

Researchers discovered a collection of Remote Code Execution (RCE) vulnerabilities in the Portable SDK for UPnP, or libupnp component – a software library used by mobile devices, routers, smart TVs, and other IoT devices to stream media files over a network.

The flaws occur due to a buffer overflow in Simple Service Discovery Protocol (SSDP), potentially allowing hackers to take full control over the targeted device running the vulnerable version of the software development kit (SDK).

According to the researchers, the vulnerabilities were actually patched in 2012, but many applications still use the outdated versions of the library, allowing remote code execution attacks against devices with flawed apps installed.

> "We found 547 apps that used older versions of libupnp, 326 of which are available on the Google Play store," Trend Micro mobile analyst Veo Zhang wrote in a blog post published Thursday.

Vulnerable Apps Downloaded by Millions of People

The biggest app affected by the flaw is QQMusic, which is used by over 100 Million people in China alone and has been downloaded by millions of Android users from the Google Play store. However, the security issue has since been fixed by the developers.

The Netflix application, also downloaded by Millions of people, was also thought to be affected by the flaw though the researchers say:

> "Upon further clarification with Netflix, we learned that Netflix uses their own fork of libupnp due to an API that is no longer a part of newer libupnp versions. However, their fork contains the fixes from newer versions of libupnp as well, so we believe they are not affected by potential remote code execution attacks targeting this vulnerability."

Other popular applications using the outdated version of the library include nScreen Mirroring for Samsung, CameraAccess Plus and Smart TV Remote.

List of Vulnerable Apps

Here's the list of some apps, Trend Micro knows, are vulnerable and has actually tested:

Common Name

|

Package Name

---|---

AirSmartPlayer

|

com.gk.airsmart.main

Big2Small

|

com.alitech.dvbtoip

CameraAccess plus

|

jp.co.pixela.cameraaccessplus

G-MScreen

|

mktvsmart.screen

HexLink Remote (TV client)

|

hihex.sbrc.services

HexLink-SmartTV remote control

|

com.hihex.hexlink

Hisense Android TV Remote

|

com.hisense.commonremote

nScreen Mirroring for Samsung

|

com.ht.nscreen.mirroring

Ooredoo TV Oman

|

com.ooredootv.ooredoo

PictPrint – WiFi Print App –

|

jp.co.tandem.pictprint

qa.MozaicGO.Android

|

Mozaic GO

QQMusic

|

com.tencent.qqmusic

QQ音乐HD

|

com.tencent.qqmusicpad

Smart TV Remote

|

com.hisense.common

Wifi Entertainment

|

com.infogo.entertainment.wifi

モバイルTV(StationTV)

|

jp.pixela.px01.stationtv.localtuner.full.app

에브리온TV (무료 실시간 TV)

|

com.everyontv

多屏看看

|

com.letv.smartControl

海信分享

|

com.hisense.hishare.hall

Though the makers of QQMusic and LinPhone have addressed the issue and released fixes for their apps, users are advised to check their devices for one of these apps and if discovered, simply removed it or check for an update.

The security researchers are continuing to find out more vulnerable app.