How to fix the UPnP security holes

How to fix the UPnP security holes

Summary: Universal Plug and Play has always had security holes. Here's how to plug them.

SHARE:

The US Department of Homeland Security is urging everyone to disable the common networking Universal Plug and Play (UPnP) protocol. This is being done because Rapid7 security researchers have found that tens of million devices worldwide are wide open to attack because of flaws in the network protocol and its implementations.

While the US Computer Emergency Readiness Team (US-CERT) specifically talks about devices that use versions of libupnp, the open-source portable software development kit (SDK) for UPnP earlier than 1.6.18, UPnP has been, is now, and will always be a security nightmare of a protocol.

Major UPnP problems have been showing up since 2001, and they've never stopped showing up. As Armijn Hemel, owner of UPnPhacks wrote, "In May 2006 I presented a paper called 'Universal Plug and Play: Dead simple or simply deadly'...In the years following my presentation very little has changed. A lot of routers are still shipped with grave security bugs, including involuntary onion routing, remote root exploits, and complete remote control over firewalls. New exploits are popping up, where bugs in Universal Plug and Play are exploited using a buggy Flash plug-in in a web browser, turning a mostly local attack into something a lot more dangerous. And that is just the beginning."

UPnP's purpose is benign. It's meant to let networked devices seamlessly discover each other with Simple Service Discovery Protocol and establish useful network service connections using a variety of other protocols, such as the Web's HTTP and Simple Object Access Protocol (SOAP). In other words, UPnP is designed to make it simple for small office and home users to set up network equipment. And, these days, that means pretty much everything and anything.

What devices you ask? You name it. UPnP is used in routers, computers, media servers, printers, digital video recorders (DVRs), and even security cameras.

UPnP would be all fine and dandy...if it had any sort of authentication. It doesn't. So, far too often, by default any UPnP device will blindly accept communications from any source. UPnP devices consider all other devices and users to be trustworthy. Needless to say, that's not true.

Making things even worse, some routers accept UPnP requests across their Wide Area Network (WAN) interface. This is just asking to be attacked.

What that means for you is that your UPnP devices, and hence your network, may be open to "remote, unauthenticated attacker [who can] execute arbitrary code on the device or cause a denial of service." In short, you're owned.

Here's what you can do about this.

First, and foremost, you need to make sure you've blocked UPnP at your Internet gateway. Specifically, you need your firewall to block any system from outside your LAN from accessing the ports 1900/UDP, and if you have Windows systems, port 2869/TCP. Of course, what you should have been doing all along with your firewall is blocking every port except the ones, such as the Web's port 80/TCP, that you must use on a daily basis.

You should also turn off UPnP on your router. Exactly how you do this varies from router to router.

For Linksys E- and WRT-series routers, run:

  1. Open a browser and type in 192.168.1.1 (Or, the IP address you assigned to your router)

  2. Enter your password to log in to the Web interface

  3. Go to Administration

  4. Select "Disable" under UPnP and Allow User to Configure

  5. Click Save.

Other routers will have different specific instructions, but they all have the same basic format. If you don't see a UPnP control immediately, look for it under your router's advanced controls.

Once you've locked down your network from outside intruders, you can start looking for devices that are vulnerable to the specific holes that Rapid7 found with its Windows application ScanNow for Universal Plug and Play (UPnP). Mac and Linux users can use the open-source Metasploit security vulnerability scanner. None of these, however, will find any future UPnP holes.

Once you find your vulnerable hardware, you can see if it has any way of letting you turn UPnP off. To do this, check the vendor's manual and online support for access to UPnP. It's all too possible, especially for consumer black box devices, there won't be any way to turn off.

In the case of some devices and services, especially media servers and players, UPnP, with its close relative Digital Living Network Alliance (DLNA), is actually necessary for them to work properly.

If, for whatever reason you can't turn it off, you must make sure your firewall blocks UPnP traffic. All it takes is one device to be compromised for every system on your network to be endangered.

That done, start checking for firmware updates for your device. The software patch, Portable SDK for UPnP Devices (libupnp 1.6.18) is out, but with the older, holey program in literally hundreds of different kinds of devices, I expect it to take months for the firmware to be updated in all of them. Indeed, I don't expect it to be updated at all in many older models.

So what can you do in the meantime? Just keep that firewall up once and for all against UPnP traffic. Inside a properly secured network, UPnP is still dangerous but it's also useful. When exposed to the Internet though UPnP is a security hole big enough to drive a semi-trailer truck through.

Related stories:

Topics: Security, Hardware, Networking, Open Source

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

25 comments
Log in or register to join the discussion
  • just stick with linux

    and unlike windoze you have nothing to fear.
    LlNUX Geek
    • WOW! I didn't have my laugh today until I read your comment.

      libupnp is in fact the Linux SDK for UPnP.
      Joe_Raby
    • Count Me Impressed...

      This single statement tells a lot about your actual knowledge.
      TheCyberKnight
    • Just too funny

      LMAO ... another Linux holier-than-thou moron.
      perrrob
      • Still the same

        ZDNet comment boards are still the same fetid cesspool they were the last time I visited months ago. A shame.
        thebaldguy
  • A good post from SJVN

    Great info for those who don't know how to block uPnP.
    Owlll1net
  • The Rapi7 app requires Java

    Isn't that just great!!!!!!!!!!
    D.T.Long
    • Anyway, thanks Steven

      Disabled uPnP in router
      Installed Java on 3 machines
      Ran scanner, all good
      Uninstalled Java on 3 machines

      3 more to go, 1500 miles away

      This is just one reason I might like Chromebooks for less demanding users.
      D.T.Long
      • I for one..

        enjoyed the inset of comic relief regarding "Uninstalled Java on 3 machines". I went through the same steps, albeit on a few more systems. I'm still not big on Chromebooks, but, to each their own. Maybe, someday... Anyway, good, true, post.
        TechNickle
    • That is funny @ D.T. Long

      It's funny as some banks requiring java to access their facilities
      Alan Smithie
    • Yes that was funny too

      I also went to rapid 7 site and was surprised to learn they required Java to run their UPnP check.
      It just goes from bad to worse. Even security experts cannot resists trouble like Java.
      jscott418-22447200638980614791982928182376
  • Great Little Article.

    http://www.leonard-mcdowell.com/index.php/johns-blog-page/upnp-security-risk.html

    I posted a comment a little earlier.
    rytb333
  • No news

    UPnP has a massive security hole for YEARS. Duh!

    Too many idiots runing Windows have SSDP & UPnP enabled which is making this issue more prevalent than it should be. In addition there are the clueless "pseudo network admins" who think they know how to setup broadband routers but fail to understand security issues.
    bitrate
    • Round them all up...

      place them in a box, and make widely generalized statements. Statements such as that can easily be countered with a call to attention regarding Java, you know. Isn't that open source? Who is more secure, a user with Java installed, or one with UPnP services active on LAN?
      TechNickle
  • If you haven't figured out how to protect from UPnP already

    Most likely you are out of business, or an aging, bitter, clueless blogger who is on his last leg begging for any kind of respectable readership...
    omdguy
  • Network for dummies

    We have created a system of security problems because many people are just not smart enough to setup a local network or device on a network on their own. I doubt many even know how to access their routers settings? Much about network setup for consumer routers has been put to task by using a application or CD to make needed setting adjustments. The sad part about this is we should have been better educating and not making stuff idiot proof.
    jscott418-22447200638980614791982928182376
  • Anyone else becoming a bit concerned

    at how Homeland Security is beginning to expand what it's responsible for?
    baggins_z
  • Half a solution...

    Turn it all off, um now what, all the devices stopped working. Need a little more info. Steven, actualy a lot more.
    NoAxToGrind
  • A bit concerned?

    I was "becoming a bit concerned" when they first created the Department of Homeland Security. Like everything the government does, this is just another massive, out-of-control big government threat to our freedom.

    Rick
    rick@...
  • upnp

    Go to GRC.com

    It will tell you all you need to know about upnp. Follow its easy instructions to turn off
    upnp.
    bobmarrs@...