Skip to main content

Flash vulnerability opens router to attack

GnuCITIZEN has posted (opens in new tab) a detailed FAQ about a newly found Flash uPNP hack which could eventually lead the attacker to control a victim's router, regardless of the brand and model of the device.

The attack does not rely on any vulnerabilities within Flash but rather on the relationship between Flash and uPNP, a set of protocols that allow a device to poll continuously to find out whether devices - like cameras, printers etc - are hot-plugged in the network.

GnuCitizen details how the attack might take place on their website and although this is only a proof of concept, any capable hacker should be able to implement this straight away.

The attack does not depend on what platform or what browser you are using and affects even the latest Flash player.

There are only three ways to protect your network from a Flash uPNP attack: (a) disable uPNP (b) disable flash (c) disconnect altogether from the internet.

However, as the author of the FAQ stresses, " it is very likely that the same attack can be performed by other types of Web technologies [aside from Flash]."

Thinkbroadband (opens in new tab) summarises the issue nicely: "This problem with UPnP arises because it does not have an authentication procedure built into the protocol. So disabling it completely seems to be the only sure fire solution."

Désiré Athow

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website building and web hosting when DHTML and frames were en vogue and started writing about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium. Following an eight-year stint at where he discovered the joys of global tech-fests, Désiré now heads up TechRadar Pro. Previously he was a freelance technology journalist at Incisive Media, Breakthrough Publishing and Vnunet, and Business Magazine. He also launched and hosted the first Tech Radio Show on Radio Plus.