SEARCH

How-To Geek

HTG Explains: Is UPnP a Security Risk?

image

UPnP comes enabled by default on many new routers. At one point, the FBI and other security experts recommended disabling UPnP for security reasons. But how secure is UPnP today? Are we trading security for convenience when using UPnP?

UPnP stands for “Universal Plug and Play.” Using UPnP, an application can automatically forward a port on your router, saving you the hassle of forwarding ports manually. We’ll be looking at the reasons people recommend disabling UPnP, so we can get a clear picture of the security risks.

Image Credit: comedy_nose on Flickr

Malware On Your Network Can Use UPnP

A virus, Trojan horse, worm, or other malicious program that manages to infect a computer on your local network can use UPnP, just like legitimate programs can. While a router normally blocks incoming connections, preventing some malicious access, UPnP could allow a malicious program to bypass the firewall entirely. For example, a Trojan horse could install a remote control program on your computer and open a hole for it in your router’s firewall, allowing 24/7 access to your computer from the Internet. If UPnP were disabled, the program couldn’t open the port – although it could bypass the firewall in other ways and phone home.

Is This a Problem? Yes. There’s no getting around this one – UPnP assumes local programs are trustworthy and allows them to forward ports. If malware not being able to forward ports is important to you, you’ll want to disable UPnP.

The FBI Told People to Disable UPnP

Near the end of 2001, the FBI’s National Infrastructure Protection Center advised all users disable UPnP because of a buffer overflow in Windows XP. This bug was fixed by a security patch. The NIPC actually issued a correction for this advice later, after they realized that the problem wasn’t in UPnP itself. (Source)

Is This a Problem? No. While some people may remember the NIPC’s advisory and have a negative view of UPnP, this advice was misguided at the time and the specific problem was fixed by a patch for Windows XP over ten years ago.

image

Image Credit: Carsten Lorentzen on Flickr

The Flash UPnP Attack

UPnP doesn’t require any sort of authentication from the user. Any application running on your computer can ask the router to forward a port over UPnP, which is why the malware above can abuse UPnP. You might assume that you’re secure as long as no malware is running on any local devices – but you’re probably wrong.

The Flash UPnP Attack was discovered in 2008. A specially crafted Flash applet, running on a web page inside your web browser, can send a UPnP request to your router and ask it to forward ports. For example, the applet could ask the router to forward ports 1-65535 to your computer, effectively exposing it to the entire Internet. The attacker would have to exploit a vulnerability in a network service running on your computer after doing this, though – using a firewall on your computer will help protect you.

Unfortunately, it gets worse — on some routers, a Flash applet could change the primary DNS server with a UPnP request. Port forwarding would be the least of your worries – a malicious DNS server could redirect traffic to other websites. For example, it could point Facebook.com at another IP address entirely – your web browser’s address bar would say Facebook.com, but you’d be using a website set up by a malicious organization.

Is This a Problem? Yes. I can’t find any sort of indication that this was ever fixed. Even if it was fixed (this would be difficult, as this is a problem with the UPnP protocol itself), many older routers still in use would be vulnerable.

Bad UPnP Implementations on Routers

The UPnP Hacks website contains a detailed list of security issues in the ways different routers implement UPnP. These aren’t necessarily problems with UPnP itself; they’re often problems with UPnP implementations. For example, many routers’ UPnP implementations don’t check input properly. A malicious application might ask a router to redirect network  to remote IP addresses on the Internet (instead of local IP addresses), and the router would comply. On some Linux-based routers, it’s possible to exploit UPnP to run commands on the router. (Source) The website lists many other such problems.

Is This a Problem? Yes! Millions of routers in the wild are vulnerable. Many router manufacturers haven’t done a good job of securing their UPnP implementations.

image

Image Credit: Ben Mason on Flickr

Should You Disable UPnP?

When I started writing this post, I expected to conclude that UPnP’s flaws were fairly minor, a simple matter of trading a little bit of security for some convenience. Unfortunately, it does appear that UPnP has a lot of problems. If you don’t use applications that need port forwarding, such as peer-to-peer applications, game servers, and many VoIP programs, you may be better off disabling UPnP entirely. Heavy users of these applications will want to consider whether they’re prepared to give up some security for the convenience. You can still forward ports without UPnP; it’s just a bit more work. Check out our guide to port forwarding.

On the other hand, these router flaws are not actively being used in the wild, so the actual chance that you’ll come across malicious software that exploits flaws in your router’s UPnP implementation is fairly low. Some malware does use UPnP to forward ports (the Conficker worm, for example), but I haven’t come across an example of a piece of malware exploiting these router flaws.

How Do I Disable It? If your router supports UPnP, you’ll find an option to disable it in its web interface. Consult your router’s manual for more information.

image


Do you disagree about UPnP’s security? Leave a comment!

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 08/24/12

Comments (10)

  1. Bill

    When installing a new program that needs to change the firewall settings in the router, i turn UPNP on, install the program, test it, then turn it back off. That’s a bit easier than manually configuring ports in the router.

  2. john kabbi

    i agree

  3. TheFu

    Yes. UPnP is bad.

    WPS is bad.
    WEP is bad. It is easier to hack a WEP key than look it up.
    WPA2 with any key less than 20 characters is bad. Use a sentence to get something long.

    Routers with default passwords are worse than all these other things.

    Never expect any radio networking technology to be as secure as wired ethernet. That is just a fact of life. Broadcasting data over the radio provides nearly infinite data to analyze and hack.

    Bill’s method might work and reduce the attack surface, I don’t know. What happens when the router gets rebooted?

  4. r

    yes, turning UPNP off until a program install does help

    when a router gets a soft reboot….it reboots, that’s about it

  5. Dave

    is UPnP only for external connections, if I turn it off will it affect any local only file shares ie streaming a video from my computer to my WD TV Live? or sharing a folder so I can access said folder on another computer?

  6. mikmik

    Not every computer is connected through a router, not by a long shot. All kinds of people have coaxial straight from a modem. Is this as bad as having a router with UPnP enabled? Or worse?
    Just to put things into perspective here. I know NAT makes having a router better, but surely having UPnP disabled, although not recommended if you have a router, is less a risk than a straight link to the ethernet, I would think.

  7. GiddyUpGo

    Gibson Research Corporation has a small program that will let you turn UPnP on or off.
    http://www.grc.com/unpnp/unpnp.htm
    It there a need for this kind of program now?

  8. West

    I agree completely! Very concisely put.

  9. John

    I think like the author I was on the side of UPnP being safe enough to leave enabled. But having looked at some of the exploits being engineered I think its certainly a potential target and their is little that can be done to secure it. The only possible solution would be for the router software to be able to alert the user about a request to open a port. I guess if every device had a Firewall enabled they may still get that request depending on the firewall type. For me my decision to disable UPnP was based on the fact that I do not require it for a gaming server or VOIP or any other service. Even if I did I could manually enter the information into the router. The real problem is the router manufactures have to dumb proof the routers so as to reduce customer service complaints and issues. Sometimes this involves leaving a router less secure simply to alleviate problems for customer setups. Same thing went on for years with routers being shipped with no security enabled for WiFi.

  10. Sunil

    Really useful information here, I wasn’t aware that my router was as open a security threat as it now appears. I, for one, will be taking heed of the advice given!
    Thank you Chris!

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!