madison

SOHO Networking

Sean Portnoy
Home / News & Blogs / SOHO Networking

Wi-Fi routers vulnerable to UPnP attack from hackers

By | January 15, 2008, 8:28am PST

Summary: A couple of weeks ago we discovered that it’s possible for viruses to quickly spread among unsecured or WEP-encrypted Wi-Fi routers in densely populated urban areas. The solution seemed to be simple: Use WPA encryption and strong passwords. Now, based on an article Gnucitizen, there’s another way for hackers to take down your router. In [...]

A couple of weeks ago we discovered that it’s possible for viruses to quickly spread among unsecured or WEP-encrypted Wi-Fi routers in densely populated urban areas. The solution seemed to be simple: Use WPA encryption and strong passwords. Now, based on an article Gnucitizen, there’s another way for hackers to take down your router. In theory, at least.

The article describes a process that enables hackers to take control of routers by using UPnP. UPnP is a protocol allows you to automatically perform administrative tasks like obtain network settings and automatically open ports for communication. I have it enabled on my router because, somewhere along the line, I was testing a wireless product and the tech-support rep advised that I enable UPnP to ensure the product worked seamlessly. It’s a matter of convenience for me (I like it when things work out of the box).

Gnucitizen describes a way that hackers can attack a UPnP-enabled devicem, like my Linksys router, across the Web. The process involves exploiting a mechanism that uses XSS (cross-site scripting) vulnerability to add a port-forwarding rule within the targeted device firewall. According to the article:

Once the XSSed SOAP request is actualized, the attacker will be able to get access to an internal service over the portforward. Given the fact that the attacker can change the primary DNS server of the target router, as well, the problem seems to be more then scary and very, very concerning.

The worse that could happen: A hacker could change your primary DNS server and turn the router into a zombie. The article states that 99 percent of home routers could fall victim to such attacks because they support UPnP. Of course, UPnP would have to be enabled for this to be true. And I believe most routers ship with UPnP disabled.

Should you turn off UPnP to protect your network? At this point, the danger seems more theoretical than real. But I browsed several message boards and found that many people advised that you disable UPnP. I’m going to disable it on my router and see how it affects the other devices on my network. I’ll let you know what happens.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “SOHO Networking”

Topics

Router, Article, Hacker, UPnP, Attack, Gnucitizen, Routers & Switches, Network Technology, Networking, Rik Fairlie

Disclosure

Rik Fairlie

http://blogs.zdnet.com/fairlie/?page_id=100

Biography

Rik Fairlie

For the past 15 years, Rik Fairlie has covered technology and the business of technology for numerous publications and Web sites, including CNET, PC Magazine, Computer Shopper, Family PC, and Mobile Computing. He has also published tech stories in The New York Times, Frequent Flyer, and Travel & Leisure. Rik has served as editor in chief of Computer Shopper and managing editor of Mobile Communications. ///

Talkback Most Recent of 13 Talkback(s)

  • Routers with UPnP enabled
    Mr. Fairlie,
    I would have to disagree with you regarding that most routers have UPnP disabled when shipped. Most [if not all] of the wireless routers that I have worked with in the last 12-24 months have UPnP enabled straight from the factory/store shelf. We have always recommended to our clients to disable it unless there is a very real need to have it enabled.
    ZDNet Gravatar
    dan_withrow
    15th Jan 2008
  • That's been my experience, too
    And I've disabled it on any that I've used and haven't experienced any issues that I know of related to it.
    ZDNet Gravatar
    brble
    15th Jan 2008
  • Conflicted
    For a while now, I've been turning off UPnP on all routers I configured for friends and family. HOWEVER, I found this significantly increased my phone support times as I had to walk these people through turning on UPnP or setting up port forwarding every time I needed to help them using XP's Remote Assistance. HUGE PAIN for the non-IT-savvy. So, lately I have been leaving UPnP turned on for these folks. Now I'm wondering if the risk is worth the reward....
    ZDNet Gravatar
    bmgoodman
    16th Jan 2008
  • Remote Assistance without UPnP
    http://support.microsoft.com/kb/301529 gives you various scenarios for using Remote Assistance where either the Novice or the Expert is behind a non-UPnP router.
    ZDNet Gravatar
    lcooksey
    16th Jan 2008
  • Thanks, but
    I usually disable Windows messenger, so I offer Remote Assistance by having the novice send an e-mail invitation. According to my experience and your KB link, the latter method won't work with the novice behind a non-UPnP router. Of course, if you're patient and you have access to the novice's router manual, you can talk him through port forwarding. But both parties have to be VERY patient! I *HAVE* done this for some novices, but others just lack the skill to complete the router setup. That's why I've begun using UPnP for these people. When sending the RA Invitation, XP takes care of configuring the port forwarding on the router. It even turns it back off an hour after the invitation expires.

    All of which brings me back to my original point of which is the lesser of the two evils!
    ZDNet Gravatar
    bmgoodman
    16th Jan 2008
  • So, besides remote assistance...
    Besides remote assistance, what sort of things use UPnP? I guess I'd prefer to disable it but I hate doing that and then finding out a month later that something I haven't used in a while no longer works. I can't remember all that stuff!!! wink
    ZDNet Gravatar
    timmycb
    16th Jan 2008
  • Lots
    BitTorrent, Morpheus, Skype, and any other number of programs make use of UPnP. IM, P2P, some games, you name it.
    ZDNet Gravatar
    ParrotHeadFL
    17th Jan 2008
  • Hasn't SECURITY NOW!'s Steve Gibson mentioned this - repeatedly?
    If you check his past show notes, you'll see Gibson has repeatedly urged people to switch UPnP off - and in fact has a freeware app for Windows to disable it called "Unplug and Pray" (http://www.grc.com/UnPnP/UnPnP.htm ).
    ZDNet Gravatar
    drprodny
    20th Jan 2008
  • UPnP is more convenient for hackers than users.
    For the average home user, how many servers do they run on their computer that requires a dynamic incoming port? You might as well do the mapping explicitly.
    ZDNet Gravatar
    SamCPP
    28th Jan 2008
  • Sounds like a variant of the previous JS attack
    Is it just me or does this sound like a variant of the previous JS attack? I wouldn't be surprised if this was authored by the same creators of the previous attack... IMO these exploits are a good thing because it'll motivate people to go beyond just plugging in their router and to actually get them to securely configure their router. 99% of the wireless networks I spot in the city here use default settings, hopefully these exploits will lower that percentage.

    - John Musbach
    ZDNet Gravatar
    John Musbach
    17th Jan 2008
  • Can't this issue also be disabled through Windows?
    Right mouse clicking My Computer -> Properties -> Remote tab and unchecking Remote Assistance?

    I believe UPnP can also be disabled in services.msc.
    ZDNet Gravatar
    hasta la Vista, bah-bie
    18th Jan 2008
  • Won't help.
    The problem is with the UPnP service running in the router.
    That is where the port forwarding is done in the router's firewall.
    UPnP services in the PC allow the PC to talk to and control other UPnP devices............such as the router.
    ZDNet Gravatar
    The_Curmudgeon
    18th Jan 2008
  • RE: Wi-Fi routers vulnerable to UPnP attack from hackers
    Thanks for the article. I think we should be very worried about the SOHO router problems. We have FIOS TV, telephone and Internet. I discovered the ActionTec router Verizon gave us had been hacked about two months ago. No matter what I do, I can't secure it. I've disabled wireless and put it behind a more secure router. Just checked the settings - hacked again. Once more - locked out of the ActionTec router and I'll have to reset it. Does anyone have any suggestions? Verizon won't/can't replace it (needed for FIOS TV) and won't/can't run a separate Internet line so the internet and TV are isolated. Is there a device I can put between the ActionTec and the more secure router for example?
    ZDNet Gravatar
    WryWebber
    24th Mar 2009

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources