Who am I?

My name is Armijn Hemel and I am currently employed as a system administrator and programmer at Loohuis Consulting, a small specialized hosting/consultancy company in Utrecht, the Netherlands.

This site is about one of my hobbies: cracking consumer electronics devices using Universal Plug and Play.

Why this site?

This site is meant to increase awareness about security risks that exist in UPnP implementations on millions of devices, that many people have as a central hub in their network and completely trust.

The development model behind many consumer electronics devices (the so called ODM model) focuses completely on time to market and features, but not on correctness or security. This makes these devices an easy high profile target and many crackers are lazy. Normal virus scanners will not find a router that has been taken over. The false sense of security that this gives people is very dangerous. It is time to take action and make sure that these bugs are solved, or at least easier to detect (and then solved).

If you think that there is no danger, because you have not heard of any hacks using UPnP, think again. The only reason that these hacks are not being used yet is because there most be easier ways to take over machines and networks. Vendors, most notably Microsoft, are making their systems more secure. Once the costs of cracking these systems is high enough crackers will switch to easier targets, such as routers.

Hiring

If you are a router manufacturer and want to have your routers checked for (known) UPnP IGD vulnerabilities it might be good to know that the company I work for can do this for you. There are a few conditions under which we are for hire:

1. I only check for known vulnerabilities, as described on these pages.
   
2. Prices depend on the amount of devices and similarities between them (codebase). Machines that are very much alike in their codebase are easier to check.
3. I can do black box testing, but also do code review once I find a device to be vulnerable. Needless to say the latter is more expensive, especially if NDAs are involved.

If you're interested, please drop us a line. To avoid your mail getting caught by the spam filter, or accidentily getting deleted by me, please mark it clearly, use plain text if possible instead of HTML, use punctuation, don't write your mail just using capital letters, etcetera.

Please note that I can only check devices that either have an Ethernet or Annex A (POTS) WAN connection. Other devices, like Annex B (ISDN), I can only check from the LAN side.

We are not interested in any illegal cracking activities.

• UPnP workings
• UPnP IGD hacking
  • IGD stacks
  • Vulnerable IGD devices
  • Possibly vulnerable IGD devices
  • IGD Annoyances
  • Getting access to DNS with UPnP
• UPnP A/V hacking
• UPnP RemoteUI hacking
• Unresearched UPnP hacks
• Downloads
• News
• Media
• Frequently Asked Questions
• Contact
• Links