Who am I?
My name is Armijn Hemel and I am the owner of
Tjaldur Software Governance Solutions,
a consultancy company in the Netherlands focusing on open source license compliance,
software provenance, and scanning.
This site is about one of my hobbies: cracking consumer electronics devices using Universal Plug and Play.
Why this site?
This site is meant to increase awareness about security risks that exist in
UPnP implementations on millions of devices, that many people have as a central
hub in their network and completely trust.
The development model behind many consumer electronics devices (the so called ODM model) focuses completely on time to market and features, but not on correctness or security. This makes these devices an easy high profile target and many crackers are lazy. Normal virus scanners will not find a router that has been taken over. The false sense of security that this gives people is very dangerous. It is time to take action and make sure that these bugs are solved, or at least easier to detect (and then solved).
If you think that there is no danger, because you have not heard of any hacks using UPnP, think again. The only reason that these hacks are not being used yet is because there most be easier ways to take over machines and networks. Vendors, most notably Microsoft, are making their systems more secure. Once the costs of cracking these systems is high enough crackers will switch to easier targets, such as routers.
If you are a router manufacturer and want to have your routers checked for
(known) UPnP IGD vulnerabilities it might be good to know that I
can do this for you. There are a few conditions:
- I only check for known vulnerabilities, as described on
- Prices depend on the amount of devices and similarities between them (codebase). Machines that are very much alike in their codebase are easier to check.
- I can do black box testing, but also do code review once I find a device to be vulnerable. Needless to say the latter is more expensive, especially if NDAs are involved.
Please note that I can only check devices that either have an Ethernet or Annex A (POTS) WAN connection. Other devices, like Annex B (ISDN), I can only check from the LAN side.
I am not interested in any illegal cracking activities.