SUPnP: Secure Access and Service Registration for UPnP-Enabled Internet of Things

Golam Kayas, Mahmud Hossain, Jamie Payton, S. M.Riazul Islam

Research output: Contribution to journalArticlepeer-review

2 Citations (Scopus)


The service-oriented nature of the Universal Plug-and-Play (UPnP) protocol supports the creation of flexible, open, and dynamic systems. As such, it is widely used in Internet-of-Things (IoT) deployments. However, the protocol's service access mechanism does not consider security from the first principles and is therefore vulnerable to various attacks. In this article, we present an in-depth analysis of the service advertisement, discovery, and access methods of the UPnP protocol stack and identify security issues in an IoT network. Our analysis shows that adversaries can perform resource exhaustion, buffer overflow, reflection, and amplification attacks by exploiting the vulnerabilities of the UPnP protocol. To address these issues, we propose a capability-based security model for UPnP to ensure secure discovery, advertisement, and access of the UPnP services that considers the resource limitations of IoT devices. Our analysis shows the effectiveness of the proposed model against potential attacks, and our experimental evaluation highlights the feasibility of implementing our Secure UPnP (SUPnP) protocol in a network of IoT devices, incurring minimal network and performance overhead.

Original languageEnglish
Article number9352973
Pages (from-to)11561-11580
Number of pages20
JournalIEEE Internet of Things Journal
Issue number14
Early online date11 Feb 2021
Publication statusPublished - 15 Jul 2021
Externally publishedYes


Dive into the research topics of 'SUPnP: Secure Access and Service Registration for UPnP-Enabled Internet of Things'. Together they form a unique fingerprint.

Cite this