UPnP (Universal Plug and Play) is a service that allows devices on the same local network to discover each other and automatically connect through standard networking protocols (such as TCP/IP HTTP, and DHCP). Some examples of UPnP devices are printers, gaming consoles, WiFi devices, IP cameras, routers, mobile devices, and Smart TVs.
UPnP can also modify router settings to open ports into a firewall to facilitate the connection of devices outside of a network.
This service reduces the complexity of networking devices by automatically forwarding router ports to new devices, removing the hassle of manual forwarding.
But this convenience could come at significant security risks.
Is UPnP Safe?
The UPnP service becomes dangerous if it establishes connections with devices that are infected with malware. Such connections make DDoS attacks possible.
But when UPnP allows safedevices to connect, the established network is safe. So the original intention of UPnP technology is safe. It only becomes dangerous when infected devices are involved.
UPnP offers zero-configuration, meaning no human authentication is required to establish a connection. Ports are automatically forwarded to establish a connection when a UPnP request is received. With such an autonomous, and liberal, networking mechanism, it becomes clear how easy it is for the establishment of infected connections to spiral out of control.
UPnP exploitation can result in more than just the connection of an infected device. Here are just a few examples of the malicious actions that are possible with UPnP:
- Connecting internal ports to the router's external-facing side to create gateways ('poking holes') through firewalls.
- Port forwarding the router web administration details
- Port forwarding to any external server located on either their surface or dark web.
- Changing DNS server settings so that a decoy credential stealing website is loaded instead of legitimate banking websites.
- Modifying administrative credentials
- Modifying PPP settings
- Modifying IP settings for all interfaces
- Modifying the WiFi settings
- Modifying or terminate internal connections
Should I Enable UPnP?
Because it's so difficult to determine if a prospective connection could facilitate a malware infection, it's best security practice to disable UPnP.
If port forwarding is an essential requirement (if you use VoIP programs, peer-to-peer applications, game servers, etc) it's better to manually forward each port so that you have control over each established connection).
By default, most new routers come with UPnP enabled and many users are unaware that they're at risk of a malware infection or a data breach.
The graph below indicates the number of devices with UPnP enabled compared to the total number of analyzed devices in each category. As you can see, routers are at the highest risk of being targeted in a UPnP attack.
If you don't have an essential need for the UPnP feature, you should disable it.
Is UPnP Dangerous?
Though the UPnP protocol is safe, it can facilitate insecure connections. A UPnP protocol could permit devices with critical vulnerabilities to connect to your network and sensitive resources.
The U.S Department of Homeland Security urged all businesses to disable their UPnP following a cyberattack in 2013 impacting tens of millions of devices. Though this was about 8 years ago, UPnP-related cyberattacks are still being detected today.
To prevent such infectious connections from occurring, the entire attack surface associated with a UPnP connection must be kept updated with the latest patches. This includes routers, firewalls, antivirus software, and all IoT (Internet of Things) devices that are to be connected.
The National Institute of Standards and Technology (NIST) hosts a continuously updated list of Common Vulnerability Exposures (CVEs) for popular devices and software solutions. Security teams should regularly refer to this list to be aware of any new patch requirements impacting existing or prospective UPnP connections.
The NIST national vulnerability database can be accessed here.
More details about UPnP-specific vulnerabilities can be found on the Carnegie Mellon University website.
If despite the very real risks, you still wish to leave UPnP enabled, refer to the updated UPnP security specifications outlined by the Open Connectivity Framework.
How to Disable UPnP
The process of disabling UPnP is unique for each router. Perform a search online for instructions for your specific router.
Search the following phrase in Google:
How to disable UPnP for [your router name]
The general process is as follows:
- Enter your router's IP address (home network) as a URL in a web browser and hit Enter. If you don't know what your router IP address is, follow the instructions in this article.
- Select Advanced and then click NAT Forwarding.
- Disable UPnP connectivity.
UPnP should also be blocked at the internet gateway to prevent unauthorized devices from accessing ports 1900/UDP and ports 2869/TCP (for Windows). To maximize security, all ports should be blocked except those necessary to run the business - usually port 80/TCP is utilized on a daily basis.
How Can Cyber Attackers Exploit UPnP?
In general, router security policies are quite good at blocking hostile external connections, and an up-to-date firewall increases this resilience. But UPnP is capable of bypassing these security barriers by allowing unauthorized devices to 'poke holes' through firewall policies to established persistent malicious connections.
Such an attack begins with a malware injection which commonly occurs via a phishing campaign. After a Trojan (or worm) is clandestinely installed, it bypasses the router's firewall to establish a hidden backdoor for 24/7 remote access by cybercriminals.
Backdoors can remain undetected for several months - giving cyber attackers plenty of time to do a lot of damage.
Threat actors can do the following through a webserver backdoor.
- Exfiltrating sensitive data
- Encrypting sensitive data and hold it hostage
- Using the victim's systems to launch a Distributed Denial of Service (DDoS) attack.
- Defacing a victim's website
Examples of UPnP Cyberattacks
Since the invention of Universal Plug and Play in 1999, there have been growing concerns about the security issues of the technology. The F.B.I even issued an official warning about the potential exploits of UPnP technology and IoT devices.
These warnings have been corroborated by the many cyberattacks that were made possible through UPnP technology
Some famous UPnP related cyberattacks are outlined below:
Flash UPnP Attack
First discovered in 2008, the Flash UPnP attack is a type of cyberattack that is autonomously executed when a user interacts with a malicious SWF file (specially crafted Flash applet) running on a web page.
This action triggers a silent step attack in the background where the victim's router forwards its ports, exposing its connections to the entire internet.
Though the name might imply otherwise, Flash UPnP attacks are not associated with any Flash vulnerabilities
An enabled and updated firewall will give you the highest chances of defending against Flash UPnP attacks, though it is not guaranteed.
Mirai Botnet Attack
In 2016, cybercriminals executed a colossal Denial-of-service (DDoS) attack by compromising a network of IoT devices (mainly CCTV cameras) through UPnP technology. The cyberattack was so big, it caused an internet outage in most of the United States East Coast.
Pinkslipbot Attacks
The banking Trojan Pinkslipbot also knows as Qakbot and QBot, exploits UPnP to infect its victims. Infected machines are then used as HTTPS-based proxies to control servers to hide the malicious activity being carried out.
Plinkslipbot malware steals banking credentials from US financial institutions using man-in-browser attacks and password stealers.
This family of malware was first discovered in the late 2000s and it's still active today.
Reduce your Data Breach Risks with UpGuard
UpGuard's attack surface management solution scans internal and third-party attack surfaces for overlooked vectors that could be exploited to facilitate breaches. For an overview of how UpGuard can compress your attack surface and decrease your data breach potential, watch the video below.
