A network security company, Rapid7, recently conducted a study on the response of internet-facing equipment to UPnP requests. They discovered millions of devices that respond to UPnP requests on their internet-facing interfaces. This is not the intended behavior of UPnP, and it represents a significant security concern for those whose devices behave this way.
What is UPnP?
Universal Plug and Play (UPnP) is technology that allows devices inside the LAN to automatically configure their internet gateway router to allow needed network traffic (typically from the internet) through the firewall. On most routers, UPnP is an option that can be enabled or disabled. To better explain UPnP, please see the following diagrams.
The first diagram shows typical, non-UPnP use of the router:
The router is normally configured to allow network traffic that is initiated from inside the LAN. (See number 1 in the diagram.) The computer inside the LAN initiates a connection to a server on the internet, and the server sends a response. The router manages the ports necessary to keep the connection going.
Number 2 in the diagram shows that unsolicited traffic is normally blocked by the router. If a computer outside the LAN tries to initiate a connection to a computer inside the LAN (or even to the router itself), the connection request is rejected by the router.
The next diagram shows the intended, typical use of UPnP:
Following are the steps shown in the diagram:
- Through various means, the computer inside the LAN determines that it needs to accept network traffic directly from one or more computers on the internet. The LAN computer uses UPnP to automatically configure the router.
- The router opens a network port to the internet and forwards any traffic arriving on that port (including unsolicited traffic) to the LAN computer.
- The computer on the internet is now able to send traffic through the now-open port in the firewall to the LAN computer.
The goal of UPnP is to make more direct connections between computers inside and outside the LAN. UPnP is often used by gaming consoles, PC games, and voice-over-IP (VOIP) services. In some cases, these games and services will not function at all when UPnP is disabled. In other cases, performance is improved by enabling UPnP on the router.
Even when UPnP is implemented properly, it can be a security risk in the LAN. Commonly, UPnP requests from inside the LAN are not authenticated. This means the router can’t tell the difference between the desired UPnP request from a benign PC game and the unwanted UPnP request from a malicious piece of malware. If malware has infected a computer inside the LAN (through whatever means), it can use UPnP to open ports in the firewall and allow itself greater access. This is possible even when UPnP is running properly.
Because of the lack of authentication, it is a good security practice to disable UPnP on the router. This can adversely affect devices and programs in the LAN that want to use UPnP. However, these problems can sometimes be corrected by manually opening ports in the router and configuring the device or program to use the manually opened port.
What is the current problem with UPnP?
When enabled, UPnP is only supposed to be available to computers inside the LAN. However, Rapid7′s study revealed that millions of devices on the internet are also responding to UPnP requests from computers on the internet outside the LAN. Following is a diagram showing one possible situation:
Following are the steps shown in the diagram:
- An attacker outside the LAN detects that an internet-facing router is responding to UPnP requests from outside the LAN. The attacker makes a UPnP request to the router.
- The router opens a network port to the internet and forwards any traffic arriving on that port (including unsolicited traffic) to a computer on the LAN.
- The attacker uses the now-open port to conduct additional attacks inside the LAN.
The exact abilities the attacker will have depend on how the router responds to requests from the internet. The responses will depend on the brand of the router and the firmware version installed on the router.
What can be done?
How do you know if this vulnerability affects you? Web-based UPnP vulnerability checkers are available. One such is part of the free “ShieldsUP” service from Gibson Research Corporation. To test a router, do the following:
- Using a computer behind the router you want to test, navigate to the following page:
- Click one of the “Proceed” buttons.
- Click the “GRC’s Instant UPnP Exposure Test” button.
- Allow the test to run and observe the result.
If you discover that your router is vulnerable, try turning off UPnP in your router and run the test again. (Some routers have been reported to leave UPnP running on the internet side even after it has been disabled on the LAN side.) If the router is still vulnerable, following are some options that are available:
- Search the website of the router’s manufacturer for newer firmware for your router. Keep in mind that the manufacturer may offer multiple versions of the firmware for the same router model. The different versions may be for different hardware revisions of the router. Pay close attention to which hardware revision you own. Read installation instructions carefully before starting. Disabling UPnP after installation may be necessary.
- Alternative firmware for some routers is available. Three such are DD-WRT, OpenWrt, and Tomato. Before installing alternative firmware, verify compatibility with your router (including the hardware revision number). Read installation instructions carefully before starting. Disabling UPnP after installation may be necessary.
- Buy a new router. It may be advantageous to do research before buying to ensure the router you purchase does not also have the UPnP vulnerability. Disabling UPnP on the new router may be necessary.
- For those who are technically minded, turn an old PC into a router. The computer must have at least two network adapters. (If the computer has only zero or one network adapter, additional USB, PCI, or PCI-e adapters can normally be added.) Replace the existing operating system on the computer with a router OS such as pfSense or m0n0wall. Read installation instructions carefully before starting. Disabling UPnP after installation may be necessary.
Regardless of the option chosen, test your solution after it has been implemented.
How does this affect business?
UPnP is technology typically implemented in routers meant for home or small-office use. Some businesses may be directly affected by this, but many will not be because they use networking equipment that doesn’t have the vulnerability. However, businesses may be indirectly affected if they allow remote access into the network via VPN or other means. If a remote user’s home network is vulnerable and compromised, the compromise may propagate from the home network to the business network through a VPN connection.
Where is more information available?
Diagrams use clip art from user “cyberscooty” at openclipart.org.