Bit9

You’ve probably heard about the enduring prevalence of universal plug and play (UPnP) vulnerabilities in Internet-connected routers. Rapid7 released the results of a study this week that showed how more than 80 million IPs responded to UPnP requests over the Internet. They created a nice infographic that summarizes the results. The graphic ends by pointing out how it only takes one User Datagram Protocol (UDP) packet to compromise many of these routers. In the unlikely scenario that the bad guys did not already know about this, they know about it now. And they will use it.

UPnP represents an excellent real-world example of the tension between security and convenience. On the one hand, UPnP allows for “zero configuration” networking and networked devices to “just work.” It enables the non-technical user to network his or her Xbox, TV, router, printer and computer without having to log onto the router and configure individual ports. On the other hand, the promiscuous behavior that allows for easy networking also allows for easy hacking. When a router exposes UPnP to the Internet, it essentially says “Anybody want to connect? I’m your target!” If you have UPnP enabled on your router for the Internet to see, you need to turn it off. Gibson Research Corporation and Rapid7 both provide tools for determining your vulnerability.

Gibson Research Corporation:

  1. Go to http://www.grc.com/default.htm
  2. Go to the grey menu toward the top and mouse over “Services”
  3. In the options that drop down, select “ShieldsUP!”
  4. Click on one of the “Proceed” buttons
  5. Click on the big yellowish “GRC’s Instant UPnP Exposure Test”

If the green box shows up with “THE EQUIPMENT AT THE TARGET IP ADDRESS DID NOT RESPOND TO OUR UPnP PROBES!” then you’re all set. If not, then you need to fix it.

Rapid7:

  1. Go to http://upnp-check.rapid7.com/
  2. Click on the orange “Scan My Router” button

If you see a checkmark with “Congratulations! Your router did not respond to a UPnP discovery request,” then you’re in good shape. If not, you have more work to do.

The fix is to turn off external UPnP. For most routers the process is fairly straightforward:

  1. Open a Web browser and go to your router’s address (typically http://192.168.1.1/).
  2. Enter your username and password to log into the router (you may have to Google your router make and model to find the defaults).
  3. Find the UPnP option. It could be under “Administration” or “Advanced.” Just poke around.
  4. Make sure you select the option for UPnP that turns it off or removes its exposure to the wide-area network (WAN).
  5. Save the settings if router requires it.

After disabling UPnP, run the test again. Should your router fail again, this means your router’s firmware does not properly limit UPnP. So you need to either reflash or upgrade your firmware, or buy a new router. More info and links about this can be found on ZDNet. Hopefully your router never had UPnP enabled, but if it did you’ve disabled it now. We don’t hear about this kind of serious and widespread vulnerability everyday, but we hear about it often enough to know we must stay on guard.

Leave a Reply