3

I'd like to use Chromecast on our office network. Doing so requires enabling UPnP (Universal Plug and Play).

A quick search turns up statements like this:

The US Department of Homeland Security is urging everyone to disable the common networking Universal Plug and Play (UPnP) protocol...UPnP has been, is now, and will always be a security nightmare of a protocol.

http://www.zdnet.com/article/how-to-fix-the-upnp-security-holes/

I know very little about network protocols beneath the application layer, so much of this goes over my head.

Is it true that UPnP is fundamentally and irreversably flawed?

Are there any mitigating circumstances in which it isn't "a security nightmare"? Is there any way to use Chromecast without compromising security?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Paul Draper
  • 958
  • 8
  • 18

2 Answers2

3

As long as you keep UPnP blocked at your gateway, you will be fine against any direct attacks against UPnP. Later in that same article you linked:

First, and foremost, you need to make sure you've blocked UPnP at your Internet gateway. Specifically, you need your firewall to block any system from outside your LAN from accessing the ports 1900/UDP, and if you have Windows systems, port 2869/TCP. Of course, what you should have been doing all along with your firewall is blocking every port except the ones, such as the Web's port 80/TCP, that you must use on a daily basis.

However, you will still be prone to lateral movement from an attacker gaining entry into the network from another attack vector. Once latched into a network, typical reconnaissance involves scanning for vulnerable devices like those running UPnP. The article does a good job to describe how vulnerable UPnP (or more likely, the various implementations thereof) are, so you will have to weigh the risk of running a vulnerable protocol behind your firewall.

armani
  • 2,658
  • 19
  • 20
  • Thanks, that does clear things up. One thing I don't understand is whether the vulnerabilities are due to the *protocol*, as the quote suggests, or due to *flawed implementations*. – Paul Draper Apr 08 '15 at 22:34
  • "an attacker gaining entry into the network from another attack vector" Depending on how severe the vulnerability is, I certainly wouldn't want to depend on an entire network of good actors (no accidentally installed malware, etc.). – Paul Draper Nov 29 '20 at 01:07
0

A very slight improvement is to put it on its own network and switch to that network on whatever device is interacting with it temporarily. That's easier to do when turning on a Radio service stream from phone or casting a YouTube watch later playlist, than it is choosing songs or YouTube videos one by one.

Here's a couple related links as references:

There is some discussion here of being able to use it without UPnP (at the bottom): https://nakedsecurity.sophos.com/2019/01/04/dont-fall-victim-to-the-chromecast-hackers-heres-what-to-do/

With the famous attack playing PewDiePie, it is unclear whether disabling UPnP solves the issue (further links in article):

The two said that disabling Universal Plug and Play (UPnP) should fix the problem, but this has been disputed by experts.

There is also a problem with location privacy from 2018, don't know if its fixed: https://bgr.com/2018/06/19/chromecast-and-google-home-location-vulnerability-fix/

To me it would be best if a user could control it from another (guest) network. This suggest not possible, but discusses some details: https://www.reddit.com/r/Chromecast/comments/250pa0/should_it_be_possible_to_cast_from_a_different/

And Google's reply confirming No: Cast to a device on a different network. - Chromecast Help

Discussion of attempts to run on different VLANs: https://community.ui.com/questions/Chromecast-across-VLANs/5cf91d86-91d5-4d05-a832-0cc8226f26c2

Chromecast across VLAN - Super User

alchemy
  • 121
  • 3