Must Read: Galaxy Note 8.0 tablet: Beating the iPad mini (review)

Topic: Networking

Wi-Fi routers vulnerable to UPnP attack from hackers

Summary: A couple of weeks ago we discovered that it’s possible for viruses to quickly spread among unsecured or WEP-encrypted Wi-Fi routers in densely populated urban areas. The solution seemed to be simple: Use WPA encryption and strong passwords.

Rik Fairlie

By Rik Fairlie for SOHO Networking |

A couple of weeks ago we discovered that it’s possible for viruses to quickly spread among unsecured or WEP-encrypted Wi-Fi routers in densely populated urban areas. The solution seemed to be simple: Use WPA encryption and strong passwords. Now, based on an article Gnucitizen, there’s another way for hackers to take down your router. In theory, at least.

The article describes a process that enables hackers to take control of routers by using UPnP. UPnP is a protocol allows you to automatically perform administrative tasks like obtain network settings and automatically open ports for communication. I have it enabled on my router because, somewhere along the line, I was testing a wireless product and the tech-support rep advised that I enable UPnP to ensure the product worked seamlessly. It’s a matter of convenience for me (I like it when things work out of the box).

Gnucitizen describes a way that hackers can attack a UPnP-enabled devicem, like my Linksys router, across the Web. The process involves exploiting a mechanism that uses XSS (cross-site scripting) vulnerability to add a port-forwarding rule within the targeted device firewall. According to the article:

Once the XSSed SOAP request is actualized, the attacker will be able to get access to an internal service over the portforward. Given the fact that the attacker can change the primary DNS server of the target router, as well, the problem seems to be more then scary and very, very concerning.

The worse that could happen: A hacker could change your primary DNS server and turn the router into a zombie. The article states that 99 percent of home routers could fall victim to such attacks because they support UPnP. Of course, UPnP would have to be enabled for this to be true. And I believe most routers ship with UPnP disabled.

Should you turn off UPnP to protect your network? At this point, the danger seems more theoretical than real. But I browsed several message boards and found that many people advised that you disable UPnP. I’m going to disable it on my router and see how it affects the other devices on my network. I’ll let you know what happens.

Topics: Networking, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion

  • Routers with UPnP enabled

    Mr. Fairlie,
    I would have to disagree with you regarding that most routers have UPnP disabled when shipped. Most [if not all] of the wireless routers that I have worked with in the last 12-24 months have UPnP enabled straight from the factory/store shelf. We have always recommended to our clients to disable it unless there is a very real need to have it enabled.
    dan_withrow
    Reply Vote

    • That's been my experience, too

      And I've disabled it on any that I've used and haven't experienced any issues that I know of related to it.
      brble
      Reply Vote

      • Conflicted

        For a while now, I've been turning off UPnP on all routers I configured for friends and family. HOWEVER, I found this significantly increased my phone support times as I had to walk these people through turning on UPnP or setting up port forwarding every time I needed to help them using XP's Remote Assistance. HUGE PAIN for the non-IT-savvy. So, lately I have been leaving UPnP turned on for these folks. Now I'm wondering if the risk is worth the reward....
        bmgoodman
        Reply Vote

        • Remote Assistance without UPnP

          http://support.microsoft.com/kb/301529 gives you various scenarios for using Remote Assistance where either the Novice or the Expert is behind a non-UPnP router.
          lcooksey
          Reply Vote

          • Thanks, but

            I usually disable Windows messenger, so I offer Remote Assistance by having the novice send an e-mail invitation. According to my experience and your KB link, the latter method won't work with the novice behind a non-UPnP router. Of course, if you're patient and you have access to the novice's router manual, you can talk him through port forwarding. But both parties have to be VERY patient! I *HAVE* done this for some novices, but others just lack the skill to complete the router setup. That's why I've begun using UPnP for these people. When sending the RA Invitation, XP takes care of configuring the port forwarding on the router. It even turns it back off an hour after the invitation expires.

            All of which brings me back to my original point of which is the lesser of the two evils!
            bmgoodman
            Reply Vote

          • So, besides remote assistance...

            Besides remote assistance, what sort of things use UPnP? I guess I'd prefer to disable it but I hate doing that and then finding out a month later that something I haven't used in a while no longer works. I can't remember all that stuff!!! ;-)
            timmycb
            Reply Vote

          • Lots

            BitTorrent, Morpheus, Skype, and any other number of programs make use of UPnP. IM, P2P, some games, you name it.
            ParrotHeadFL
            Reply Vote

    • Hasn't SECURITY NOW!'s Steve Gibson mentioned this - repeatedly?

      If you check his past show notes, you'll see Gibson has repeatedly urged people to switch UPnP off - and in fact has a freeware app for Windows to disable it called "Unplug and Pray" (http://www.grc.com/UnPnP/UnPnP.htm ).
      drprodny
      Reply Vote

    • UPnP is more convenient for hackers than users.

      For the average home user, how many servers do they run on their computer that requires a dynamic incoming port? You might as well do the mapping explicitly.
      SamCPP
      Reply Vote

  • Sounds like a variant of the previous JS attack

    Is it just me or does this sound like a variant of the previous JS attack? I wouldn't be surprised if this was authored by the same creators of the previous attack... IMO these exploits are a good thing because it'll motivate people to go beyond just plugging in their router and to actually get them to securely configure their router. 99% of the wireless networks I spot in the city here use default settings, hopefully these exploits will lower that percentage.

    - John Musbach
    John Musbach
    Reply Vote

  • Can't this issue also be disabled through Windows?

    Right mouse clicking My Computer -> Properties -> Remote tab and unchecking Remote Assistance?

    I believe UPnP can also be disabled in services.msc.
    hasta la Vista, bah-bie
    Reply Vote

    • Won't help.

      The problem is with the UPnP service running in the router.
      That is where the port forwarding is done in the router's firewall.
      UPnP services in the PC allow the PC to talk to and control other UPnP devices............such as the router.
      The_Curmudgeon
      Reply Vote

  • RE: Wi-Fi routers vulnerable to UPnP attack from hackers

    Thanks for the article. I think we should be very worried about the SOHO router problems. We have FIOS TV, telephone and Internet. I discovered the ActionTec router Verizon gave us had been hacked about two months ago. No matter what I do, I can't secure it. I've disabled wireless and put it behind a more secure router. Just checked the settings - hacked again. Once more - locked out of the ActionTec router and I'll have to reset it. Does anyone have any suggestions? Verizon won't/can't replace it (needed for FIOS TV) and won't/can't run a separate Internet line so the internet and TV are isolated. Is there a device I can put between the ActionTec and the more secure router for example?
    WryWebber
    Reply Vote
CNET Join | Log In | Privacy | Cookies Close