Patched security flaw exposes 6.1 million IoT, mobile devices to remote code execution

An old software development kit still very much in use is placing millions of devices at risk.
A three-year-old vulnerability within a component used by millions of smart devices is placing smartphones, routers, television sets and other products at risk of exploit.

According to security firm Trend Micro, vulnerabilities in the libupnp library, also known as the Portable SDK for UPnP Devices, were patched in 2012. However, many apps still use outdated versions of the library, which can act as a conduit for remote code execution attacks to take place against devices with these vulnerable apps installed.

On Thursday, Trend Micro researchers said in a blog post a total of 6.1 million devices, including smartphones, routers and smart television sets, are exposed due to the old library. Used mainly in implementing media playback (DNLA) or NAT traversal (UPnP IGD) -- used to map network ports -- any apps using the library can play media files and connect to other devices on a network.