UPnP comes enabled by default on many new routers. At one point, the FBI and other security experts recommended disabling UPnP for security reasons. But how secure is UPnP today? Are we trading security for convenience when using UPnP?
UPnP stands for “Universal Plug and Play.” Using UPnP, an application can automatically forward a port on your router, saving you the hassle of forwarding ports manually. We’ll be looking at the reasons people recommend disabling UPnP, so we can get a clear picture of the security risks.
Image Credit: comedy_nose on Flickr
Malware On Your Network Can Use UPnP
A virus, Trojan horse, worm, or other malicious program that manages to infect a computer on your local network can use UPnP, just like legitimate programs can. While a router normally blocks incoming connections, preventing some malicious access, UPnP could allow a malicious program to bypass the firewall entirely. For example, a Trojan horse could install a remote control program on your computer and open a hole for it in your router’s firewall, allowing 24/7 access to your computer from the Internet. If UPnP were disabled, the program couldn’t open the port – although it could bypass the firewall in other ways and phone home.
Is This a Problem? Yes. There’s no getting around this one – UPnP assumes local programs are trustworthy and allows them to forward ports. If malware not being able to forward ports is important to you, you’ll want to disable UPnP.
The FBI Told People to Disable UPnP
Near the end of 2001, the FBI’s National Infrastructure Protection Center advised all users disable UPnP because of a buffer overflow in Windows XP. This bug was fixed by a security patch. The NIPC actually issued a correction for this advice later, after they realized that the problem wasn’t in UPnP itself. (Source)
Is This a Problem? No. While some people may remember the NIPC’s advisory and have a negative view of UPnP, this advice was misguided at the time and the specific problem was fixed by a patch for Windows XP over ten years ago.
Image Credit: Carsten Lorentzen on Flickr
The Flash UPnP Attack
UPnP doesn’t require any sort of authentication from the user. Any application running on your computer can ask the router to forward a port over UPnP, which is why the malware above can abuse UPnP. You might assume that you’re secure as long as no malware is running on any local devices – but you’re probably wrong.
The Flash UPnP Attack was discovered in 2008. A specially crafted Flash applet, running on a web page inside your web browser, can send a UPnP request to your router and ask it to forward ports. For example, the applet could ask the router to forward ports 1-65535 to your computer, effectively exposing it to the entire Internet. The attacker would have to exploit a vulnerability in a network service running on your computer after doing this, though – using a firewall on your computer will help protect you.
Unfortunately, it gets worse — on some routers, a Flash applet could change the primary DNS server with a UPnP request. Port forwarding would be the least of your worries – a malicious DNS server could redirect traffic to other websites. For example, it could point Facebook.com at another IP address entirely – your web browser’s address bar would say Facebook.com, but you’d be using a website set up by a malicious organization.
Is This a Problem? Yes. I can’t find any sort of indication that this was ever fixed. Even if it was fixed (this would be difficult, as this is a problem with the UPnP protocol itself), many older routers still in use would be vulnerable.
Bad UPnP Implementations on Routers
The UPnP Hacks website contains a detailed list of security issues in the ways different routers implement UPnP. These aren’t necessarily problems with UPnP itself; they’re often problems with UPnP implementations. For example, many routers’ UPnP implementations don’t check input properly. A malicious application might ask a router to redirect network to remote IP addresses on the Internet (instead of local IP addresses), and the router would comply. On some Linux-based routers, it’s possible to exploit UPnP to run commands on the router. (Source) The website lists many other such problems.
Is This a Problem? Yes! Millions of routers in the wild are vulnerable. Many router manufacturers haven’t done a good job of securing their UPnP implementations.
Image Credit: Ben Mason on Flickr
Should You Disable UPnP?
When I started writing this post, I expected to conclude that UPnP’s flaws were fairly minor, a simple matter of trading a little bit of security for some convenience. Unfortunately, it does appear that UPnP has a lot of problems. If you don’t use applications that need port forwarding, such as peer-to-peer applications, game servers, and many VoIP programs, you may be better off disabling UPnP entirely. Heavy users of these applications will want to consider whether they’re prepared to give up some security for the convenience. You can still forward ports without UPnP; it’s just a bit more work. Check out our guide to port forwarding.
On the other hand, these router flaws are not actively being used in the wild, so the actual chance that you’ll come across malicious software that exploits flaws in your router’s UPnP implementation is fairly low. Some malware does use UPnP to forward ports (the Conficker worm, for example), but I haven’t come across an example of a piece of malware exploiting these router flaws.
How Do I Disable It? If your router supports UPnP, you’ll find an option to disable it in its web interface. Consult your router’s manual for more information.
Do you disagree about UPnP’s security? Leave a comment!