Last week security researcher HD Moore unveiled his latest paper “Unplug. Don’t Play,” which looked into vulnerabilities in popular Universal Plug and Play (UPnP) implementations.
What is UPnP? Paul Ducklin explained the principles and the reason behind it in his recent article about insecurity in video cameras, but the simple version is this: in my opinion, UPnP is one of the worst ideas ever.
Let’s put it this way: UPnP is a protocol designed to automatically configure networking equipment without user intervention.
Sounds good, right? Until you think about it. UPnP allows things like XBoxes to tell your firewall to punch a hole through so you can play games.
UPnP also allows malware to punch holes in your firewall making access for criminals far easier.
Generally speaking it is a bad idea to implement something that can disable security features without authentication or the knowledge of the person controlling the device.
So we know the dangers of rogue devices/software on the inside exploiting UPnP, now imagine if UPnP managed to listen on the outside.
We don’t have to imagine, as Moore has done the work for us. He discovered over 81 million UPnP devices on the internet, 17 million of which appeared to be remotely configurable.
As if that isn’t bad enough, Moore also discovered ten new vulnerabilities in the two most popular UPnP implementations.
His scans show over 23 million devices vulnerable to a remote code execution flaw.
Vulnerable products include webcams, printers, security cameras, media servers, smart TVs and routers.
The last one is what is scariest. Nearly ever vendor you have ever heard of in the home/SOHO business has routers on the list of vulnerable products.
How a router manufacturer could ship a product that lets you configure the firewall without authentication on the outside interface is beyond me.
Many routers do not have an option to disable UPnP and even worse others have an option, but it doesn’t do anything.
If you want to check and see if your router is on the list, Moore linked to lists of the more than 6,900 vulnerable products from 1,500 vendors on the last page of his report.
If your product is affected you should contact the vendor for a fix.
If no fix is available consider replacing the device with one that doesn’t support UPnP or can properly disable it.
Might just be an opportune time to consider upgrading to the free Sophos UTM Home Edition (which doesn’t support UPnP).
Also, if UPnP wasn't introduced into routers in the first place, users would be forced to set it up themselves. This means that if it goes wrong, they will know how to fix it themselves making everybody's lives much easier IMHO.
The only trouble is, Moore recommends a scanning tool that requires Java if it is to work!
Steve Gibson of GRC.com has been discussing the wide open vulnerabilities of UPnP for over a year on his net cast/podcast ‘Security Now!’ This past week he began providing a free test of UPnP implementations from outside your firewall which he calls ‘GRC’s Instant UPnP Exposure Test.’ It is provided alongside his free ‘Shields Up!’ service. To take the test, go to:
https://GRC.com
Click on the Services menu at the top of the page and choose ‘Shields Up!’ You’ll see the UPnP Test about a quarter down the page with a large orange button.
I was pleased to find that my Motorola SBG6580 cable modem/Wi-Fi router correctly implements UPnP such that it has no exposure outside the device’s firewall. That’s the way UPnP is supposed to work. Therefore, don’t assume that every UPnP implementation is lazy and dangerous. Just expect that MOST UPnP implementations are lazy and dangerous.
Hi Derek,
Thanks very much for pointing this out.
While I was aware of the old UPnP utility that Steve Gibson made available many years ago, the most recent update to Shields Up is new to me.
I ran the new Universal Plug n'Play (UPnP) Internet Exposure Test and I passed:
———————————————————–
THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!
(That's good news!)
———————————————————–
It looks like my recommendations from last week were correct. Thank you very much for the reassurance this gives me that my network is secure. I was confident my recommendations were correct and this verifies it.
Enjoy the rest of your day.
Is there a list of exploitable routers anywhere available online?
As Chester says near the end, "Moore linked to lists of the more than 6,900 vulnerable products from 1,500 vendors on the last page of his report"…
Your best bet is to follow the link to Moore's article (which is at the top of Chester's article 🙂
HtH.
See page 28 of the report for links to three lists of affected devices.
Just checked my Netgear DG834Gv5 and it passed. Mind you, I had read previously that UPnP was not safe so had manually disabled it. The default setting is On so it is risky and needs to be changed, as I did.
I have always known uPNP was an insecure POS since I was first started messing with computers and routers. Scanned my entire company network. No vulnerabilities. Thank you for the heads up on this issue!
So, you have given us the tools to check our vulnerability. Not everyone will find they are invulnerable. What does one do if their device is shown to be exploitable?
Hi Thomas,
From Paul Ducklin’s article on this issue last week, he mentioned some recommendations in the comments section at the end of the article. I also provided recommendations in the comments section too. Last week’s article is linked to above by Chester and is also available from the following link:
http://nakedsecurity.sophos.com/2013/01/29/what-if-your-security-camera-were-an-insecurity-camera/
Advice is also given in the following US-CERT advisory and ZDNet article:
http://www.kb.cert.org/vuls/id/922681
http://www.zdnet.com/how-to-fix-the-upnp-security-holes-7000010584/
I realize that this advice is technical, but if you require any further advice, I will do my best to assist you by providing straightforward answers.
Thank you.
Thanks, JimboC. I'll review the material suggested and hope I can comprehend it. In the event I do need further advice, should I write you at the link provided when your name is highlighted?
Hi Thomas,
When you highlight my name, the IntenseDebate profile does not allow a person to write to another. The best way to contact me is to reply to my comments as you have just done. If this not sufficient I will set up another option so that you can direct message me.
I hope this helps. Thank you.
Hi Thomas,
I have setup an email address you can reach me at. I will provide it to you if you wish.
Thanks.
The only options in that case are to turn off UPnP and leave it off, OR pester the hardware provider for a firmware update that implements safe UPnP. Good luck with that.
That would be the end of the article:
If your product is affected you should contact the vendor for a fix.
If no fix is available consider replacing the device with one that doesn't support UPnP or can properly disable it.
Might just be an opportune time to consider upgrading to the free Sophos UTM Home Edition (which doesn't support UPnP).
Of course, if your product fails but UPnP can be successfully disabled on the router (need to test, using the GRC tool, for example), then you can always do that. If you can't figure out how to disable it, you're back to "contact the vendor for a fix" bit — vendor likely being either your ISP, the store you bought it from, or the company who makes the product.
Steve Gibson’s older UPnP test, as part of Shields Up! didn’t test UDP Internet access to routers via UPnP, only TCP access. Therefore, it was not applicable to the recently revealed problem.
The new test Steve Gibson provided this past week is specifically for UDP access to UPnP, covering all the bases.
In order to disable UPnP on my router I had to resort to installing the free open source DD-WRT firmware. Tomato and OpenWRT are other acceptable open source alternatives. It is shameful how quickly home and SMB router vendors cease to release firmware for older hardware! Thankfully there is no need to spend a single dime if you can find an open source firmware for it. One can also perform a TON of tweaks and new tricks using these open source firmwares.
At the time of this posting, I cannot connect to the GRC.com site. Server can't handle all the connection requests? DDOS attack? Beats me, but so far my SeaMonkey browser interminably shows "Loading…", but cannot load any page on that website.
Hi Nigel,
Don’t worry it’s not just you. I was trying to generate a secure password using:
https://www.grc.com/passwords.htm
It would not load for me a few hours ago, but it is working now. The Shields Up service and UPnP tester are also working now. It's almost 8 PM GMT right now.
Thanks.
This confirms my thoughts on UPnP. Thankfully I've had it disabled for years, it's just concerning that UPnP is enabled by default on most routers. I understand why its often enabled by default though, especially on routers designed for home users. The vast majority of average computer users wouldn't know where to start when it comes to NAT and correctly configuring their router.