Over six million devices continue to remain exposed to remote attacks even though the concerned vulnerabilities had officially been patched around three years ago. Security firm Trend Micro has reported a large number of vulnerable Android apps - including some widely used apps such as Netflix and Tencent QQMusic - are exposing a large pool of devices including smartphones, smart TVs, and routers to the risk of remote code execution attacks.
In December 2012, several vulnerabilities in Portable SDK for UPnP (Universal Plug and Play) devices, or libupnp, a standard set of networking protocols that allow network capable devices such as computers, printers, Wi-Fi access points to seamlessly discover and communicate with each other, were patched. Several mobile apps use these features to play media files or connect to other devices within a user's home network. It has been found that the majority of affected apps continue to use older, compromised SDK versions, making millions of their users vulnerable to attacks.
Trend Micro reports that it has found 547 apps that use older versions of libupnp, crippling the overall security of the app and its users. Of the said number of apps, 326 of them are available on the Google Play Store. The firm hasn't disclosed all the affected apps but noted that Linphone and Tencent QQMusic - that have been since patched - were affected.
The nature of the security holes not only compromises the security of millions of users who use the these apps, but also smartphones and many other network devices that relay the data back and forth. The bug was first publicly reported by security firm Rapid7 nearly three years ago.
The security firm had found programming flaws in common UPnP discovery protocol (SSDP) implementations that allowed an attacker to execute arbitrary code. The firm had also exposed vulnerability in UPnP control interface (SOAP) on private networks, and programming flaws in both. Due to poor configuration, it was found that device functions that should not be allowed to public were left open.
At the time, Rapid7 had warned that many of these network equipment that are no longer being shipped will never receive an update and will likely remain vulnerable forever. It had found vulnerabilities in over 6,900 products made by over 1,500 vendors.
In the blog post, Trend Micro has detailed how these vulnerabilities put smart TVs and other network equipment at security risks too.