Wednesday, January 30, 2013

Universal Plug and Play, Universal Trust, and the Law of Exploitation

There are problems with the Universal Plug and Play protocol (also called UPnP), flaws serious enough that security experts and government authorities are recommending that businesses and consumers not use the protocol, or devices that depend on it, at all.

Universal Plug and Play was supposed to be an easy way for computers and peripheral devices to work together. A computer wouldn’t have to know about a device in advance, because the device would tell the computer all the details of how to deal with it. From the outset, the whole idea had a powerful resemblance to code injection. You really don’t want an unknown device telling your computer what to do because it might tell it to do something destructive. And as it turns out, that is a very real risk with Universal Plug and Play. Security researchers have outlined at least three points of failure that allow malicious devices, or network programs pretending to be devices, to add arbitrary programs to a computer’s kernel, effectively bypassing almost all the layers of security that exist in computers and networks. From my limited understanding of the details, it seems to me that these are very fundamental flaws. That is, no one should expect a fix or patch within the next few years, and if there eventually is a fix, it will involve abandoning the original idea of “plug and play.”

The notion of universal trust that Universal Plug and Play is built on is one that philosophers would have a hard time accepting. Can you ever devise an abstract rule of trust so ironclad that it will never have an exception? History suggests otherwise — that every rule about what you can trust will have exceptions, eventually if not immediately. The Law of Exploitation, which says that every tendency will be exploited sooner or later, also argues against universal trust. If you accept that a rule of trust is a tendency, it follows that it carries within it the possibility of exploitation.

In practical terms, this means any security system will need to be active, so that it can observe and adapt. No matter how carefully a protocol is written, someone still has to be paying attention. For Universal Plug and Play, the people who need to be paying attention include ordinary computer users, who we now must rely on to shut off that feature in networks and devices such as routers, webcams, and printers.