Universal Plug and Play (UPnP™) is a set of protocols that defines a technology for easy-to-use, flexible, standardized connectivity between consumer electronics devices within a sub-network. With UPnP devices can automatically join the sub-network, announce their presence and service capabilities to various control points in the sub-network. UPnP is especially suitable for use within home environments. A typical application of UPnP is a local network within a home that allows for several appliances such as a TV, a mobile phone, a media player, a digital camera and a personal computer to interact using the UPnP architecture.
A UPnP network comprises UPnP devices and UPnP control points. It is possible for a UPnP device to be co-located in the same physical entity as a UPnP control point. The UPnP device provides one or several services that may be invoked to perform various actions in response to control commands. The UPnP device may for instance be a TV or a media player that is able to record and replay music or video. A UPnP control point can send control commands to UPnP devices to invoke actions on the device's services. The UPnP control point may for instance be a remote control that can be used to control a UPnP-enabled TV and media player through a UPnP network. The UPnP control points are also able to discover devices and subscribe to events that indicate state changes in the devices. The UPnP discovery protocol allows for a device to advertise its service to control points in the network and for control points to search for devices for interest within the network. This is achieved by means of exchanging discovery messages.
UPnP does not require any device drivers or a server and can therefore operate in a peer to peer mode to create and ad-hoc network. UPnP is platform independent and works with almost any type of physical wired and wireless networking media. UPnP makes use of common protocols such as TCP/IP (Transmission Control Protocol/Internet Protocol), HTTP (Hypertext Transfer Protocol), and XML (extensible Markup Language) for its underlying mechanisms. More information about UPnP can for instance be found in “UPnP™ Device Architecture 1.0” version 1.0.1, published by the UPnP Forum Dec. 2, 2003.
If a UPnP network belongs to a single user without any connections to anything outside the personal domain of the user and with no control points belonging to anyone other than the user ever being attached to the network, security is not an issue. However since network isolation is rarely the case today a concept of UPnP Security has been developed to deal with situations in which more than the user's own control points may be present on the network and able to reach the user's devices with control commands. Examples of such scenarios include households with several family members who each wish to establish an individual security domain in addition to any domain of devices and control points of a shared network environment, households in which guests might bring devices or control points into the network temporarily, or wireline or wireless networks without a firewall which may allow an attacker to access the network without the user's knowledge or permission.
UPnP Security implies the introduction of one or several Security Consoles (SC) into the network and furthermore that the devices and control points are security enabled. The SC is responsible for providing a security interface to the user, administering access control on security aware UPnP devices and for taking security ownership of devices. Each security aware device is owned by one or more SCs. The security aware device has an owner list that lists the SC(s) that own the device. Access control on the security aware device may be performed by the SC by means of an access control list (ACL) associated with the device or by means of certificates. The ACL comprises entries that specifies what actions different control points or SCs are allowed to invoke on the device. A SC that owns a device is allowed to edit the ACL of that device. The ACL is stored in the device that it is associated with and also in the SC(s) that own the device. However the ACL that is stored in the device is the one list that always is up to date. When a SC changes the ACL it will update its own copy of the ACL but since the device may be owned by several SCs that change the ACL it is possible that the ACL copies in the SCs are not updated. When a security aware device receives a request for invoking an action from a control point it will check the ACL to verify that the control point is authorized and that the action is authorized for that control point. Requests that originate from unauthorized control points or relate to unauthorized actions will be discarded.
However actions and control points may also be authorized by means of certificates. Certificates are often used for granting rights during a limited time period, while the ACL is used for granting more or less semi-permanent rights. The SC can create a certificate that authorizes a control point to invoke a certain set of actions on a device. The certificate is communicated to the control point and the device. When sending a request for an action to the device, the control point will include the certificate with the request. The device will then validate the request by comparing the certificate received from the control point with the certificate stored in the device which was previously received from the SC.
More information about UPnP security can be found in “DeviceSecurity: 1 Service Template”, published by the UPnP Forum Nov. 17, 2003; “SecurityConsole: 1 Service Template”, published by the UPnP Forum Nov. 17, 2003; or in “UPnP™ Security Ceremonies V1.0”, published by the UPnP Forum Oct. 3, 2003.
UPnP was originally not designed to support mobility of device or control points, i.e. devices and control points were originally not allowed to move from one IP network domain to another and still maintain the UPnP interaction with other devices and control points. However the article “Mobility Support for Universal Plug and Play (UPnP) Devices Using Session Initiation Protocol (SIP)” by Kumar, B. and Rahman, M., Consumer Communications and Networking Conference, 2006. CCNC 2006. 2006 3rd IEEE, Volume 2, Issue, 8-10 Jan. 2006 Page(s): 788-792, propose a system level architecture to support mobility of UPnP devices. According to this proposal a UPnP Virtual Instance is created in a Home Network Gateway for each UPnP device or control point that is external from the home network and connected by means of remote access. UPnP messages are forwarded to and from the remote UPnP devices or control points using SIP (Session Initiation Protocol) signalling.
A problem with the above mentioned proposal for mobility support for UPnP is that it does not take the security aspect into consideration. The presented system level architecture presupposes a UPnP system without UPnP security.