Three Years After Libupnp Bug Was Fixed, Popular Apps and Millions of Devices Still Vulnerable

Advertisement
By Manish Singh | Updated: 4 December 2015 08:41 IST

Over six million devices continue to remain exposed to remote attacks even though the concerned vulnerabilities had officially been patched around three years ago. Security firm Trend Micro has reported a large number of vulnerable Android apps - including some widely used apps such as Netflix and Tencent QQMusic - are exposing a large pool of devices including smartphones, smart TVs, and routers to the risk of remote code execution attacks.

In December 2012, several vulnerabilities in Portable SDK for UPnP (Universal Plug and Play) devices, or libupnp, a standard set of networking protocols that allow network capable devices such as computers, printers, Wi-Fi access points to seamlessly discover and communicate with each other, were patched. Several mobile apps use these features to play media files or connect to other devices within a user's home network. It has been found that the majority of affected apps continue to use older, compromised SDK versions, making millions of their users vulnerable to attacks.

Advertisement

Trend Micro reports that it has found 547 apps that use older versions of libupnp, crippling the overall security of the app and its users. Of the said number of apps, 326 of them are available on the Google Play Store. The firm hasn't disclosed all the affected apps but noted that Linphone and Tencent QQMusic - that have been since patched - were affected.

The nature of the security holes not only compromises the security of millions of users who use the these apps, but also smartphones and many other network devices that relay the data back and forth. The bug was first publicly reported by security firm Rapid7 nearly three years ago.

Advertisement

The security firm had found programming flaws in common UPnP discovery protocol (SSDP) implementations that allowed an attacker to execute arbitrary code. The firm had also exposed vulnerability in UPnP control interface (SOAP) on private networks, and programming flaws in both. Due to poor configuration, it was found that device functions that should not be allowed to public were left open.

At the time, Rapid7 had warned that many of these network equipment that are no longer being shipped will never receive an update and will likely remain vulnerable forever. It had found vulnerabilities in over 6,900 products made by over 1,500 vendors.

Advertisement

In the blog post, Trend Micro has detailed how these vulnerabilities put smart TVs and other network equipment at security risks too.

 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Advertisement

Related Stories

Popular Mobile Brands
  1. OnePlus Phones Will Soon Run on ColorOS 17 Instead of OxygenOS
  2. Oppo, OnePlus Could Equip New Phones With a 10,000mAh Battery
  3. Nubia NaviX Ultra Design, Colourways Unveiled Ahead of July 17 Launch
  4. Former Rockstar Games Producer Explains Why GTA 6 Is Not Launching on PC
  5. Apple Back to School Sale: Grab These Deals on MacBook, iPad Models
  6. Lenovo Legion Y700 Infinite Chipset Details Teased Officially; Key Specs Tipped
  1. Samsung Music Studio 5, Music Studio 7 Wi-Fi Speakers Launched in India
  2. Ostium Suspends Trading Following Oracle Security Incident Drains Millions
  3. Oppo’s New A Series, Upcoming OnePlus Mid-Range Smartphones Tipped to Launch With 10,000mAh Batteries
  4. WhatsApp Reportedly Rolls Out Mic Mode Controls for iPhone Calls
  5. Former Rockstar Games Developer Explains Why GTA 6 Maker Launches Games on PC After Consoles
  6. Samsung Galaxy Tab S12 Ultra CAD Renders Leaked Online; Reveals Familiar Look
  7. Apple Back to School Sale Now Live in India, Bringing Offers on MacBook Air, iPad Pro and More
  8. Realme Could Replace Realme UI With ColorOS 17 in India: Report
  9. Nubia NaviX Ultra Design, Colour Options Unveiled Ahead of July 17 Launch
  10. Lenovo Legion Y700 Infinite Chipset Details Teased Officially; Key Specifications Tipped Online
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.