0

I'm the sole person who has access to this router. I turned uPnP off and have twice found it turned back on in recent weeks. The Router is Asus DSL-AC68U.

I have a VPN running at the router level, installed about a month ago. I've recently updated the firmware on it too but after extensive searching neither of those should have affected it. The only thing I've come across is that there must be malware inside the network.

Can someone please advise?

schroeder
  • 123,438
  • 55
  • 284
  • 319
frank
  • 101
  • 2
  • "malware inside the network" -- that's an odd conclusion. The malware needs access to the admin functions on the router. – schroeder Apr 16 '21 at 11:20
  • I'm happy for any other explanations. Yes it would imply that but it's the only conclusion I've been able to draw so far hence the question. – frank Apr 16 '21 at 11:37
  • 1
    It could also be a bug in its firmware which is not persisting its value. – defalt Apr 16 '21 at 12:11
  • 1
    This would have to be a new bug in firmware then as it used to work. Indeed today I've realised that the auto logout feature is no longer working unless you manually log out before closing tab/browser. This was a known fault in the router and fixed 5 years ago. Seems strange/weird it would be re-introduced. But as you say.... – frank Apr 16 '21 at 12:28
  • Is there a reason you want to keep it disabled? uPnP has its advantage in establishing VoIP calls. – defalt Apr 16 '21 at 14:54
  • For security reasons, for very good reason. I don't use VOIP or any other service that requires it. – frank Apr 16 '21 at 17:46

2 Answers2

3

Buggy firmware.

There's an old saying in IT:

Never attribute to malice what can be sufficiently explained by incompetence.

This can be fully explained by a buggy firmware that somehow re-enables it automatically after reboot, or never disables it in the first place, or resets that part of the configuration due to some other random event.

Consumer router/AP firmware is well known for being old version, riddled with bugs. The selling points of these devices is not security, it's whatever superlatives about speed they can stick on the box it comes with. The firmware and lack of security is only evident after you've bought it.

vidarlo
  • 12,850
  • 2
  • 35
  • 47
  • If disabling via an automatic protection feature it does indeed re-enable when it's rebooted but if you manually configure it in WAN settings it persists after a reboot. I double checked this yesterday after disabling it again. I have very good reasons for considering malware to be the cause. An ongoing stalking case of 12 years by a hacker.. This is the 1st time I've had the confidence to ask a security question online as I'm fairly confident he's not actually in my device (or hopefully network) right now. But in my case malice is completely a realistic scenario if not the most realistic. – frank Apr 16 '21 at 12:22
  • What makes you believe upnp is part of this? It's trivial to extract data from home networks using a outgoing connection, which is allowed by default. – vidarlo Apr 16 '21 at 13:45
  • Part of what? My original question asks what could be responsible for re-enabling uPnP on my router when I've twice disabled it? The rest is secondary... apart from the auto logout not working currently either – frank Apr 16 '21 at 14:24
1

The only thing I've come across is that there must be malware inside the network.

The attack (if any) could come from outside your network.

This could be the result of a CSRF or DNS rebinding attack on your router configuration UI. This assumes that your router is vulnerable to either of them.

This could be the result of a reflected XSS as well.

Note that these would be problems in your router firmware. Not something you can configure.

See this list known vulnerabilities in your device. These have probably been patched in your version since you claim you have recently updates the firmware. We can see that the device have been found to be vulnerable to several XSS and XSRF vulnerabilities in the past.

ysdx
  • 851
  • 6
  • 14
  • Every single security feature of my router is turned on (AFAIK) but I don't know exactly which specific settings would prevent these vulnerabilities assuming it is vulnerable. Could you expand at all? I will google in the meantime. Thanks for your help. – frank Apr 16 '21 at 12:05