Select Page

Some weeks ago now, at the end of January, a company called Rapid7 released a paper entitled ‘Security Flaws in Universal Plug and Play’ (PDF here).

 

The paper details a very serious security flaw that exists in a relatively large number of routers currently connected to the internet. While performing a scan of every publicly accessible IP address on the internet, the Rapid7 team found 81 million devices exposing their Universal Plug and Play (UPnP) protocol to the internet.

 

What does this mean? Universal Plug and Play (not to be confused with Plug and Play or PnP) is a standard that allows devices on a local area network (LAN) to talk to each other and configure network settings without user interaction and, most importantly, without authentication. It is often utilised by gaming devices, file-sharing programs and communication applications (such as Skype, for example), as well as many others. Basically, it allows a program or device on the network to tell another device on that network – usually the router – to change its configuration to allow connections that would otherwise usually be blocked. The alternative, without UPnP, is usually port forwarding.

 

Most consumer networking devices come with UPnP turned on by default. Configured properly within a home network, UPnP has potential security risks. But the problem reported by the Rapid7 researchers is much worse: they found 81 million devices exposing Universal Plug and Play to the internet.

 

UPnP should never be accessible from the internet! Remember that UPnP is a protocol that allows automatic, silent configuration of your router/firewall security settings without authentication. A router exposing UPnP to the internet can, once detected by an attacker, be controlled by that attacker to allow them complete access into your network!

 

Before you panic, it is worth noting that those 81 million devices make up just a little over 2% of the internet. Certainly not a completely insignificant amount though, so to check if your network is vulnerable, everyone should go to Steve Gibson’s Shields UP! page here:

 

Shields UP!

 

Click the ‘Proceed’ button on the first page, then click the big orange button labelled ‘GRC’s Instant UPnP Exposure Test’.

 

GRC UPnP exposure test button - you can't miss itThe GRC UPnP exposure test button – you can’t miss it

 

The GRC server will then proceed to probe your IP address to see if it responds to UPnP requests. Hopefully, after a few seconds you get a big green result like this:

 

Most people will see a result like this - if not, read onMost people will see a result like this – if not, read on

 

If not, it means you may be vulnerable to remote attack. As Steve Gibson states emphatically on his site, make no mistake: this vulnerability is being actively targeted in the wild. In other words, if you have this vulnerability, the bad guys are looking for you!

 

If your network passed, you can breathe a sigh of relief and relax (though you may want to find out more about UPnP and if you are sure you don’t need it, switch it off anyway).

 

However if your network failed the test, you must take action immediately.

 

  • If you are comfortable configuring your router, log in to the router’s settings page and turn the UPnP service off. Then visit the Shields UP! page and perform the exposure test again to see if it has fixed the problem.
  • Next, check the manufacturer’s website to see if they have released updated firmware for the device that fixes the problem – though don’t be surprised if you don’t find anything.
  • Finally, if the router won’t let you turn off UPnP, turning it off doesn’t stop the vulnerability, or you absolutely must have UPnP active on your network (or you have a vulnerable device but are just not sure what to do), the final and most effective option is to dispose of and replace the vulnerable equipment.

 

This is the end of the post so if you haven’t already, go and do the test now!

 

For those who are technically inclined, a detailed description of the issue can be found in episode 389 of Steve Gibson’s excellent Security Now! podcast here, and a follow up in episode 390 here.