Everyone who is familiar with UPnP can stop reading now, unless you’re curious, because you’ve probably already disabled it. UPnP has been a huge security issue ever since its release, with exploitable vulnerabilities showing up with alarming frequency all through the last decade. If you don’t know what it is, or don’t know why you should be worried about it — you definitely should — read on.
What Is UPnP?
UPnP is, in theory, a very useful service that allows devices on your home network to automatically configure themselves and talk to each other without the hassle of having to set them up. UPnP stands for Universal Plug and Play. Many pieces of network enabled equipment come with UPnP enabled, including routers, DVRs, printers, media servers, game consoles, and just about anything else you can think of.
What’s The Problem?
Great though UPnP is in at making home networking user friendly, it was extremely badly implemented from a security perspective. In fact, it has no security verification at all. That means that it will accept an incoming connection from any other machine that says hello, and won’t check to make sure they aren’t sending it anything bad.
That would be worrying enough if UPnP were deployed only on internal networks, where there is no access to the Internet at large, but, unfortunately, a number of routers expose UPnP on the WAN interface.
In a recent study, the security researcher HD Moore of Rapid7, makers of the Metasploit security testing software, discovered that over 80 million routers were exposing UPnP on the Internet, and as many as 50 million of them are vulnerable to one of three exploits, which are explained in the white paper. Up to 50 million routers may be vulnerable to buffer overflow attacks that would give hackers control over them and access to their internal network. This flaw is present in routers from most of the major manufacturers, including Linksys, Cisco, and D-Link.
Additionally, a Croatian security group announced a separate remote code execution vulnerability in Broadcom’s implementation of UPnP. Many router manufacturers use Broadcom’s components.
What Should I do?
First, check to see if you’re vulnerable. Steve Gibson from GRC Labs has created a tool that will carry out a port scan of your router to check if it is listening on the relevant port. If you’re interested in a thorough explanation of the problem, Gibson’s and Leo LaPorte’s Security Now show covered it in some detail.
If you do find that your router is exposing UPnP to the network, that doesn’t necessarily mean your network is vulnerable, but it’s more than likely it is.
The solution is two-fold, firstly, turn off UPnP in your router; secondly, make sure that your firewall is blocking the 1900/UDP port and the 2869/TCP port if you are using Windows (h/t to ZDNet.) How you achieve this will depend on your specific firewall and router.