Who am I?
My name is Armijn Hemel and I am the owner of
Tjaldur Software Governance Solutions,
a consultancy company in the Netherlands focusing on open source license compliance,
software provenance, and scanning.
This site is about one of my hobbies: cracking consumer
electronics devices using Universal Plug and Play.
Why this site?
This site is meant to increase awareness about security risks that exist in
UPnP implementations on millions of devices, that many people have as a central
hub in their network and completely trust.
The development model behind
many consumer electronics devices (the so called ODM model) focuses completely
on time to market and features, but not on correctness or security. This makes
these devices an easy high profile target and many crackers are lazy. Normal
virus scanners will not find a router that has been taken over. The false sense
of security that this gives people is very dangerous. It is time to take action
and make sure that these bugs are solved, or at least easier to detect (and
then solved).
If you think that there is no danger, because you have not
heard of any hacks using UPnP, think again. The only reason that these hacks are
not being used yet is because there most be easier ways to take over machines
and networks. Vendors, most notably Microsoft, are making their systems more
secure. Once the costs of cracking these systems is high enough crackers will
switch to easier targets, such as routers.
Hiring
If you are a router manufacturer and want to have your routers checked for
(known) UPnP IGD vulnerabilities it might be good to know that I
can do this for you. There are a few conditions:
- I only check for known vulnerabilities, as described on
these pages.
- Prices depend on the amount of devices and similarities between them (codebase). Machines that are very much alike in their codebase are easier to check.
- I can do black box testing, but also do code review once I find a device to be vulnerable. Needless to say the latter is more expensive, especially if NDAs are involved.
Please note that I can only check devices that either have an Ethernet or Annex A (POTS) WAN connection. Other devices, like Annex B (ISDN), I can only check from the LAN side.
I am not interested in any illegal cracking activities.