UPnP A/V profile

The UPnP A/V profile was developed specifically for distributing and playing digital content, such as music and films over the network. There are generally two types of devices that are of interest for hacking: media servers, that store content and stream it over the network, and media renderers, that can play content on speakers, or a TV set.

After the Internet Gateway Device (IGD) profile the A/V (audio/video) profiles are the most widely used UPnP profiles and have been implemented in hardware boxes, such as network storage devices and media players, but also in various software players.

The MediaServer and MediaRenderer profiles have gone through various generations. Two versions of the specifications were released. Version 1.0 was released in 2002, while version 2.0 was released in 2006. The Digital Living Network Alliance (DLNA) has standardized on version 1.0.

MediaServer 1.0

The MediaServer profile is a simple container for a few subprofiles:

The first two are required, while the last one is optional. The ContentDirectory and ConnectionManager profiles often pretty basic functionality, such as searching and querying for content, which is not easily exploited. A possible attack vector would be if searching (which can include filters) has not been implemented correctly. Most (if not all) MediaServer devices on the market only implement the ContentDirectory and ConnectionManager profiles.

MediaRenderer hacking

With the MediaRenderer profile I want to see how easy it is to play content on a device remotely and to create a possibility to do multimedia spamming, like audio or video spamming.

I have successfully applied this technique to the Noxon Audio device, but have not yet found other devices that can do this, but that is entirely because I just have a few MediaRenderer devices (more are welcome. If you can, please consider donating one). I am still not sure whether or not this is intended behaviour, since the specifications don't say anything about it. I am assuming that it is "legal" according to the specifications (and maybe even a selling point for some manufacturers). Maybe it should not have been. Once again it is shown that ease of use and security are orthogonal.

UPnP A/V devices

For my tests I have a few devices, mostly MediaServers. I am still looking for a few MediaRenderers, since my guess is that most mayhem can be done there.

MediaRenderer devices

MediaServer devices

© 2006-2011, Armijn Hemel/upnp-hacks.org