How to fix the UPnP security holes

The US Department of Homeland Security is urging everyone to disable the common networking Universal Plug and Play (UPnP) protocol. This is being done because Rapid7 security researchers have found that tens of million devices worldwide are wide open to attack because of flaws in the network protocol and its implementations.

While the US Computer Emergency Readiness Team (US-CERT) specifically talks about devices that use versions of libupnp, the open-source portable software development kit (SDK) for UPnP earlier than 1.6.18, UPnP has been, is now, and will always be a security nightmare of a protocol.

Major UPnP problems have been showing up since 2001, and they've never stopped showing up. As Armijn Hemel, owner of UPnPhacks wrote, "In May 2006 I presented a paper called 'Universal Plug and Play: Dead simple or simply deadly'...In the years following my presentation very little has changed. A lot of routers are still shipped with grave security bugs, including involuntary onion routing, remote root exploits, and complete remote control over firewalls. New exploits are popping up, where bugs in Universal Plug and Play are exploited using a buggy Flash plug-in in a web browser, turning a mostly local attack into something a lot more dangerous. And that is just the beginning."

UPnP's purpose is benign. It's meant to let networked devices seamlessly discover each other with Simple Service Discovery Protocol and establish useful network service connections using a variety of other protocols, such as the Web's HTTP and Simple Object Access Protocol (SOAP). In other words, UPnP is designed to make it simple for small office and home users to set up network equipment. And, these days, that means pretty much everything and anything.

What devices you ask? You name it. UPnP is used in routers, computers, media servers, printers, digital video recorders (DVRs), and even security cameras.

UPnP would be all fine and dandy...if it had any sort of authentication. It doesn't. So, far too often, by default any UPnP device will blindly accept communications from any source. UPnP devices consider all other devices and users to be trustworthy. Needless to say, that's not true.

Making things even worse, some routers accept UPnP requests across their Wide Area Network (WAN) interface. This is just asking to be attacked.

What that means for you is that your UPnP devices, and hence your network, may be open to "remote, unauthenticated attacker [who can] execute arbitrary code on the device or cause a denial of service." In short, you're owned.

Here's what you can do about this.

First, and foremost, you need to make sure you've blocked UPnP at your Internet gateway. Specifically, you need your firewall to block any system from outside your LAN from accessing the ports 1900/UDP, and if you have Windows systems, port 2869/TCP. Of course, what you should have been doing all along with your firewall is blocking every port except the ones, such as the Web's port 80/TCP, that you must use on a daily basis.

You should also turn off UPnP on your router. Exactly how you do this varies from router to router.

For Linksys E- and WRT-series routers, run:

1. Open a browser and type in 192.168.1.1 (Or, the IP address you assigned to your router)

2. Enter your password to log in to the Web interface

3. Go to Administration

4. Select "Disable" under UPnP and Allow User to Configure

5. Click Save.

Other routers will have different specific instructions, but they all have the same basic format. If you don't see a UPnP control immediately, look for it under your router's advanced controls.

Once you've locked down your network from outside intruders, you can start looking for devices that are vulnerable to the specific holes that Rapid7 found with its Windows application ScanNow for Universal Plug and Play (UPnP). Mac and Linux users can use the open-source Metasploit security vulnerability scanner. None of these, however, will find any future UPnP holes.

Once you find your vulnerable hardware, you can see if it has any way of letting you turn UPnP off. To do this, check the vendor's manual and online support for access to UPnP. It's all too possible, especially for consumer black box devices, there won't be any way to turn off.

In the case of some devices and services, especially media servers and players, UPnP, with its close relative Digital Living Network Alliance (DLNA), is actually necessary for them to work properly.

If, for whatever reason you can't turn it off, you must make sure your firewall blocks UPnP traffic. All it takes is one device to be compromised for every system on your network to be endangered.

That done, start checking for firmware updates for your device. The software patch, Portable SDK for UPnP Devices (libupnp 1.6.18) is out, but with the older, holey program in literally hundreds of different kinds of devices, I expect it to take months for the firmware to be updated in all of them. Indeed, I don't expect it to be updated at all in many older models.

So what can you do in the meantime? Just keep that firewall up once and for all against UPnP traffic. Inside a properly secured network, UPnP is still dangerous but it's also useful. When exposed to the Internet though UPnP is a security hole big enough to drive a semi-trailer truck through.

Related stories:

• Homeland Security: Disable UPnP as tens of millions at risk

• Millions of PCs exposed through network bugs, security researchers find

• Whoops: Google indexes more than 86,000 HP 'public' printers

• Google challenges hackers to take on Chrome OS

• 'Backdoor' root log-ins found in Barracuda security, networking gear