32

In today's world, on equipment that is properly updated to the latest software/firmware, is UPnP still insecure, or have its vulnerabilities been fixed?

Anders
  • 64,406
  • 24
  • 178
  • 215
Daniel
  • 371
  • 1
  • 3
  • 4
  • 4
    Since there is no such thing as 100% security, this question is not well posed. Perhaps you could consider mentioning the vulnerabilities that you have in mind? – Brent Kirkpatrick Mar 29 '16 at 19:08
  • "insecure" is the correct term – schroeder Mar 29 '16 at 19:51
  • 1
    @BrentKirkpatrick the question seems clear that the question is about the known vulnerabilities being fixed – schroeder Mar 29 '16 at 19:55
  • @schroeder It seems clear that the only answer is "no, it is not possible to fix vulnerabilities that are potentially unknown." So the question is not clear. It should be reworded to ask whether known vulnerabilities have been fixed. It is even more clear if the person asks specifically about the vulnerabilities that they want to know about. – Brent Kirkpatrick Mar 29 '16 at 21:50
  • 1
    related: [What are the security implications of enabling UPnP in my home router?](https://security.stackexchange.com/questions/38631/what-are-the-security-implications-of-enabling-upnp-in-my-home-router) – tim Aug 20 '16 at 19:08
  • @BrentKirkpatrick It isn't possible to write correct code? – curiousguy Dec 06 '18 at 12:43
  • Any software or etc that allows access to your network, without user interaction is never going to be secure. Now if it was changed to block by default, and notify then the user, they could go in and permit it if they so choose.. However, that is not how the protocol was designed. My question is besides being fundamentally broken does it have an buffer overflow or etc attacks. – cybernard Dec 06 '18 at 23:45

6 Answers6

26

Why is/was UPnP insecure anyway?

UPnP's bad name comes from implementation issues found in 2011-2013. It's like saying email is insecure and should be disabled because someone found a common issue in multiple email clients some years ago.

I always disabled UPnP because everyone said so. Now that I looked into it, it turns out to be silly. When UPnP was new, some devices were found to allow configuration from the Internet. Anyone could open any port on it. Since then, router vendors had plenty of time to fix their software. Security is a much bigger thing now than it was in 2011 (that's about the time when the first iPad was released), so vendors are more aware of security issues. For older routers, if they were vulnerable in the first place, a firmware update has probably been released long ago.

What is the purpose of UPnP?

UPnP is a solution to an issue that is created by having too few IP addresses. Because not everyone can have their own, we need to share them. The way we do this is by Network Address Translation (NAT): your consumer router translates between your local network (for example 192.168.x.x) and your public IP address (for example 278.14.1.48). Peer to peer applications such as file sharing, calling or video calling, distributing updates (Windows, Google Play), anonymity networks, resilient mesh networks, etc. all cannot function through NAT, so we have to either disable it for specific applications (using port forwarding), or find workarounds (such as UDP/TCP hole punching, STUN, etc.). The UPnP protocol is what an application uses to tell the router that it would like to disable NAT for an application. It's basically automatic port forwarding.

Not enabling UPnP means we need workarounds instead of being able to have peer to peer communication. Software developers that hope to make a profit off of you will spend money on running servers to keep those workarounds functional for you, but free software often does not have such luxuries and cannot function without either UPnP, or you forwarding the port manually.

Then why are the others saying "Yes, it's insecure by design"?

(Spoiler: they are wrong.)

Because NAT is ubiquitous in IPv4, many people started to rely on it for security: because you cannot reach individual hosts inside the network, vulnerabilities cannot be exploited from the outside, and people started turning off security measures inside their LAN. They neglected doing security updates and opened file shares without passwords (because nobody ever takes their laptop outside their LAN, right?), so now you need a firewall that is outside of your laptop, for example in your router. Combine this with the idea that UPnP can open ports, and you get misinformed answers such as the previously top-voted answer.

Ask yourself: what makes that UPnP request to your router to open a port? It has to be something inside your network. For example, malware could tell the router to open it. How terrible! But wait, if you have malware running on your network, and your laptop is not secure... then you are already screwed right? Yes, indeed.

Malware does not need UPnP to reach your local devices: for it to be able to do UPnP, it already needs to be on your device, or inside your network, so it can reach the internal devices by itself without using UPnP.

Or what if a friend brings their smartphone that is infected with malware? It could tell the router to do UPnP to your other devices and expose them. True enough, but again: the malware is already inside your network and can already reach your local devices directly.

Conclusion

UPnP is fine to enable if your router is not ancient, or if you installed firmware updates for it (or if it was never vulnerable in the first place).

Even if your router is known to be vulnerable (and you either refuse to install the update or the vendor did not release an update), then it's still not an issue if all devices inside your network have their security updates installed. You should be doing that anyway, as every website that you visit can attack local devices through JavaScript in your browser (particularly if the local device can be exploited via blind HTTP requests), and everyone with access to your WiFi (e.g. through password cracking) could hack them as well. Beware: this includes printers, IP cameras, and other embedded computers that are often forgotten.

Luc
  • 31,973
  • 8
  • 71
  • 135
  • 11
    It’s irrelevant that UPnP as a protocol is safe; the concept is not. UPnP permits devices with serious vulnerabilities to silently expose themselves. The Mirai botnet was built on a hundred thousand IP cameras that had opened their own holes in firewalls using UPnP. Despite your claims, very few IoT devices have the capability to patch their own firmware, and they will remain vulnerable forever. Put another way, if the only fix for a vulnerable device is to throw it away, how many people will actually toss out an otherwise-working $100 camera? Disabling UPnP will protect those networks. – John Deters Dec 07 '18 at 16:49
  • 6
    @JohnDeters Yes, if an insecure device opens a port to itself, it will get pwned. So I disable UPnP, now what? Now I will manually port forward to get to its interface, so it still gets pwned. If I take the device outside of my trusted LAN, others can pwn it. If someone brings an untrusted device (friend's smartphone might have malware) into my LAN, my vulnerable device might get pwned. If I visit a malicious website, it might get pwned through JavaScript. There are a million ways this can go wrong that is not UPnP, so just patch the device. – Luc Dec 07 '18 at 17:05
  • The only scenario in which it helps to disable UPnP is if you want to use the device only from inside your LAN, not from the internet, and never take it outside of your LAN. Still, someone could bring malware into your network, but that does not scale as well so the risk is much lower. Most of those IP cameras, though, are specifically meant to be looked at when their owners are not at home. – Luc Dec 07 '18 at 17:07
  • 8
    No, Luc, the inherent insecurity of UPnP is it's lack of authentication/authorization of the configuration. If you manually set up the port forwarding for one *known* application that needs it, you have an authentic configuration. You're correct that if this known service is vulnerable you've now exposed it, but that's not the point. Rather it's that any arbitrary listening malware that gets installed will be able to do its own router configuration to open itself to the internet. This application is not exploiting an implementation flaw in UPnP but using the protocol exactly as (mis)designed. – ckg Jan 03 '19 at 03:21
  • @ckg *"listening malware that gets installed will be able to do"* ... anything it wants, with or without upnp. You have malware on your machine, what more would you ask for?! I understand that I'm basically saying "common advice is wrong" and that I'm going against a lot of previously held beliefs, but your argument makes no sense to me. If I have malware, ohmygosh it can do things on the internet? Who'd have thought! – Luc Jan 03 '19 at 08:33
  • 4
    This is the use case for defense in depth. Of course you're in deep shit if you have malware, but no it can't do everything. In particular, it cannot open firewall/NAT rules using uPnP to enable direct remote access. It's certainly true that *other* malware might simply reverse shell, but there are many wares that rely on uPnP. The question: is uPnP inherently insecure. The answer: unequivocally YES! It is explicitly insecure *by design* because it has absolutely no authentication. It should *never* be enabled by default. It is the poster child of how NOT to design a protocol. – ckg Jan 04 '19 at 12:12
  • 1
    I should add that I am currently using uPnP effectively with a customer site. The customer left uPnP enabled and we needed to deploy a Synology NAS at the site. The Synology is using uPnP to better enable access to our NAS and this is working very well (Synology has some proxy technology for when uPnP isn't available, but this still works better). What would have been a more appropriate solution is that the customer would have had to enable uPnP *only* for our Synology, but it doesn't work that way. Enabling uPnP is a risk that can be justified, but it should not be assumed by default. – ckg Jan 04 '19 at 12:20
  • 3
    @ckg I understand where you're coming from, but the abilities malware gains through UPnP are negligible. Opening a port and acting as server on the malware's behalf (e.g. to act as command and control server) is the least of your worries at that point. While it's undeniable that disabling UPnP is good defense in depth (just like turning off any other service would be), the advantage gained in the face of arbitrary code execution is so negligible that it's acceptable as default-enabled for consumers. Opening ports has important advantages and 99% of consumers don't know how to do it manually. – Luc Jan 04 '19 at 13:03
  • 1
    There are numerous cases in the wild of UPnP being a key enabling component in large scale successful malware botnets. It is not because of "implementation flaws". It is because of the inherent insecurity of the protocol. It breaks a *fundamental* principle of security by allowing the accident of topology to be sufficient for access control and perpetuates the abomination of legacy IP NAT. It is the modern equivalent of rlogin and should be similarly irradiated as the pestilence it is. – ckg Jan 05 '19 at 15:26
  • Yes, we need usable security, but we do not need protocol implementations using "usability" as an excuse for laziness. – ckg Jan 05 '19 at 15:34
  • @Luc That edit. Absolute mad lad –  Mar 27 '20 at 14:06
  • @MechMK1 Hah, I wondered if anyone would notice :) – Luc Mar 27 '20 at 20:10
  • What isn't addressed here, or elsewhere except for Craig's comment in another answer, is the threat posed by legitimate but insecure clients and UPnP implementations on your network. They don't have to be malicious, just poorly designed and maintained. The fact that the protocol allows silent bypassing of your firewall (on routers that forwarding rules do that) without explicit consent of the network owner makes it a security risk. All the more reason to push ipv6 adoption. – datu-puti Jul 17 '20 at 18:09
  • @elBradford With that reasoning, Windows, Linux, Android, iOS, WPA3, Chrome, the router management interface, etc. are also insecure by the virtue of their existence. There may always be "insecure implementations on your network" in aynthing. Vulnerabilities are fixed once they become known, perfect security doesn't exist, and you can apply hardening to a network by disabling features/software/hardware that is not essential to you. That doesn't mean is insecure just because it might be poorly designed and maintained (just like anything else). – Luc Jul 19 '20 at 16:45
  • 1
    Luc You're right, but my point went beyond that - to quote @Craig, "The bigger issue is routers that respond and open ports, then never close them, combined with badly designed IoT devices that are insecure by design. Your best bet is to put those IoT devices on a separate VLAN, isolated from your more sensitive devices." What might otherwise be a low risk or benign flaw could expose your internal network through UPnP. Ultimately I consider UPnP insecure because of its design as discussed above by ckg with whom I agree. – datu-puti Jul 20 '20 at 17:17
19

Yes, UPnP is by design insecure.

UPnP is a protocol designed to automatically open ports in a firewall to allow an outsider to access a hosted server on a local machine that is protected by said firewall.

UPnP is like mounting a lock on a door and then leaving the key in the keyhole. What's the point of mounting a lock then?

It goes without explanation to say why this is a bad protocol from the beginning, to aid "newbies" who can't even go to 192.168.0.1/192.168.1.1 and forward a simple port if that's required.

UPnP effectively makes the firewall useless. Any trojan could then set up a listening IRC server, RAT server or anything other suspicious and then ask the firewall to open the port for them.

If you have a router which supports UPnP, disable the protocol immediately. I haven't yet stumbled upon a router which does not permit disabling UPnP, so in all routers it should be possible. It might be some ISP locked down router that has customer administration completely disabled, but then you should be able to ask your ISPs customer service to have UPnP disabled.

techraf
  • 9,141
  • 11
  • 44
  • 62
sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33
  • 9
    but it iirc isnt leaving the key on the outside but on the inside because UPNP iirc has to be opened from the inside. – My1 Aug 09 '16 at 09:38
  • 11
    I dislike this answer as uPnP is not a firewall technology, it is a NAT technology. Using your NAT/PAT for security is like using the lift in an apartment building for security. It sort of works, if someone finds the stairs, you are screwed. The aim of UPnP is to make the NAT more transparent. – Aron Sep 07 '16 at 04:33
  • @Aron Yeah, I know that NAT is initially not meant as firewalls, but they serve good as that purpose, and a well done NAT will leave no backdoor, no "stairs" as you say. NAT is already enough transparent, provided that the end user goes into the web interface and opens required ports for required services - like required with a "standard" firewall. If the end user does not know how to do that because the end user is too n00b, then that user shouldn't be near computers to begin with. – sebastian nielsen Sep 07 '16 at 17:01
  • 4
    @sebastiannielsen that is the same kind of thinking that is pushing back on the IPv6 rollout. A properly configured NAT does leave backdoors which many p2p programs exploit, such as Skype. Read up on TCP hole punching. – Aron Sep 08 '16 at 04:38
  • 5
    It's a teensy bit more complex than just user inability to configure port forwarding. If you have, say a family of 3 with iPhones and they want to use a service like Facetime, UPnP or NAT PMP is practically a necessity. Yes, there are products like Skype that work really hard to get around router security and work even with UPnP shut off. The bigger issue is routers that respond and open ports, then never close them, combined with badly designed IoT devices that are insecure by design. Your best bet is to put those IoT devices on a separate VLAN, isolated from your more sensitive devices. – Craig Tullis Oct 25 '16 at 19:10
  • @Craig Still, only one service at a time can use a specific external port. So configuring it isn't hard. – sebastian nielsen Oct 25 '16 at 22:09
  • @sebastiannielsen i port forward so I can access my cctv, whats the best way to allow this port through only and disable port forwarding for everything else? Also if i block upnp will my existing devices not connect? How would i connect new devices? – User101 Feb 01 '19 at 19:48
  • @User101 You don't disable port forwarding, just UPnP. Then you manually set up forwarded ports for you devices, preferable with locked source IP/range so only your devices can access forwarded ports. New devices are connected by manually port forwarding for these. – sebastian nielsen Feb 01 '19 at 19:51
  • @sebastiannielsen thanks, assume then new devices you would have to delve into the router page to allow them through for every new mobile phone etc that wants to connect – User101 Feb 02 '19 at 20:12
  • @user101 yes, or you add ranges so if all mobile phones are using the same operator, you simply add that particular operator's IP range as allowed source IP to access for example IP cameras and network drives and such. Then you also limit the attack Surface greatly. – sebastian nielsen Feb 05 '19 at 15:35
  • @sebastiannielsen thanks, gosh newbies and the elderly have no chance, ISPs should be doing this and providing easy to use interfaces to do this for users. – User101 Feb 06 '19 at 16:32
  • @User101 That's what UPnP is supposed to do: make the whole process transparent to the end user. – Jivan Pal May 25 '21 at 23:52
5

I think I should expand a bit and clarify what sebastian nielsen said.

UPnP is as secure as the operating systems of the devices behind the firewall or router NAT/PAT.

If you have a linux, BSD, or unix box behind the router and you have a standard user setup where you do not use root to do any user activities then your chances of running afoul of a trojon capable of using UPnP to compromise your network is low.

If you are running windows or have an android device where you download apps that are not vetted by the Play store then you are very vulnerable.

Most routers have options for directing external ports to internal ports so you can setup a port or a range of ports to talk to the machine where you need a port opened. For security sake it is wise to not open a redirected port in the 0-1024 range as these are common ports that will be a likely target for scanning by hackers.

David Zimmerman
  • 59
  • 1
  • 1
  • The point is that the protocol UPnP is completely useless. It serve no purpose at all. Basically, if a person can't even go to 192.168.1.1 or 192.168.0.1 and set up a simple port forwarding rule, then that person shouldn't be near computers to begin with. – sebastian nielsen Aug 21 '16 at 12:25
  • 13
    That just isn't true. There are plenty of cases where you have, as just one example, multiple iPhones, iPads or Mac computers on a network and people would like to use Facetime. It's ridiculous to require manual port-forwarding for each device. Protocols like Skype work without UPnP because Skype works really, really hard at getting around your router security any way it can. And when IPv6 becomes ubiquitous, every devices is going to have a direct connection to the net with its own IP address. UPnP isn't the issue. Basic device security is. – Craig Tullis Oct 25 '16 at 19:25
  • 6
    David, it simply isn't true that remotely current Windows machines are especially vulnerable to external attack. The real problem on those machines is dumb (or uninformed) users who are susceptible to phishing attacks. On the other hand, most IoT devices are running Linux, and a great many of those are configured in non-secure ways, making them an absolute security nightmare. I don't believe that superlatives and blanket generalizations help the debate. ;-) – Craig Tullis Oct 25 '16 at 19:28
2

UPnP just opens connectivity from a device within your network to another outside it, on the device request. So basically the security of that just comes down to if that request was made by a well intended software or a malware.

UPnP isn't the weak point, but the security of the apps installed on the device. Firewalls, manual port forwarding, antivirus and app stores are just workarounds for that, but not the real solution.

The real solution is using software which source code is available to inspect, installed from a software center, and frequently patched for security vulnerabilities. Namely Linux.

Alberto Salvia Novella
  • 151
  • 1
  • 8
0

Rather than definitively say that uPNP is secure by design, or insecure by design, it makes more sense to specify what it actually facilitates - what hosts on the local network can do with uPNP that they couldn't otherwise.

In a NAT situation, any host on the inside is already able to "open up a port", simply by sending a packet out on that port. But, that port mapping is only valid for the remote host address it was addressed to - it doesn't open that port up to "the world" like uPNP does.

So, a local host is able to facilitate both outgoing and incoming communication to any remote host they choose - but they must choose. A local host is not able to open itself up to communication from all hosts.

Now, that is a desirable thing to want to do if you are running a service that should be publicly available to the world. Examples include if you're running a server like a web, FTP or mail server. But this is also the case with certain peer to peer activity. For example in bittorrent, you want anybody to be able to contact you and download a piece of a file you are hosting, even if you don't think of yourself as providing a service.

In a business environment, you would specifically set up rules for those services you want to host.

In a home environment, however, "hosting" things is often thought of in more of an ad-hoc manner, and home users don't want to have to configure their router for everything they use which requires a port open to the world. This is where uPNP fits.

So:

  • Yes, it does open up new abilities for local hosts that would not be allowed otherwise, which includes the ability to accept incoming connections to a port from anyone.

  • This can be thought of as adding, or at least widening, a vector for possible vulnerabilities. Malware running on a local host is already able to do a lot without uPNP; uPNP just gives it a small additional ability.

  • It is a trade-off between ease of use and control over network communication; and to many it will be a completely fair trade-off, and to others not.

The argument that NAT is merely a side-effect of IPv4 depletion rather than a security feature is a little off-target IMO. If it weren't for NAT, it would still be a good idea to have a firewall at the boundary of your local network that denies incoming traffic that wasn't initiated from inside the firewall, except in specific cases that you have set up. And, IPv6 enabled devices often offer such a feature even when there's no need for NAT. You can say that each host should have its own such firewall instead and treat other hosts as equally untrusted, but there exists a lot of IP connected (IoT) devices which aren't configurable in that way. Sure, judicious outgoing blocking like port 25 is also useful.

thomasrutter
  • 1,465
  • 11
  • 16
-1

It depends on the firewall settings of the device you are worried about getting maliciously accessed from the internet. If that firewall easily allows outgoing long-polling and websockets, then there is no added security in disabling UPnP.

Unknown
  • 3
  • 2