Blog
What is UPnP? Yes, it's still dangerous in 2021

What is UPnP? Yes, it's still dangerous in 2021

Abstract shapeAbstract shape
Join 27,000+ cybersecurity newsletter subscribers

UPnP (Universal Plug and Play) is a service that allows devices on the same local network to discover each other and automatically connect through standard networking protocols (such as TCP/IP HTTP, and DHCP). Some examples of UPnP devices are printers, gaming consoles, WiFi devices, IP cameras, routers, mobile devices, and Smart TVs.

UPnP can also modify router settings to open ports into a firewall to facilitate the connection of devices outside of a network.

This service reduces the complexity of networking devices by automatically forwarding router ports to new devices, removing the hassle of manual forwarding.

But this convenience could come at significant security risks.

Is UPnP Safe?

The UPnP service becomes dangerous if it establishes connections with devices that are infected with malware. Such connections make DDoS attacks possible.

But when UPnP allows safedevices to connect, the established network is safe. So the original intention of UPnP technology is safe. It only becomes dangerous when infected devices are involved.

UPnP offers zero-configuration, meaning no human authentication is required to establish a connection. Ports are automatically forwarded to establish a connection when a UPnP request is received. With such an autonomous, and liberal, networking mechanism, it becomes clear how easy it is for the establishment of infected connections to spiral out of control.

UPnP exploitation can result in more than just the connection of an infected device. Here are just a few examples of the malicious actions that are possible with UPnP:

  • Connecting internal ports to the router's external-facing side to create gateways ('poking holes') through firewalls.
  • Port forwarding the router web administration details
  • Port forwarding to any external server located on either their surface or dark web.
  • Changing DNS server settings so that a decoy credential stealing website is loaded instead of legitimate banking websites.
  • Modifying administrative credentials
  • Modifying PPP settings
  • Modifying IP settings for all interfaces
  • Modifying the WiFi settings
  • Modifying or terminate internal connections

Should I Enable UPnP?

Because it's so difficult to determine if a prospective connection could facilitate a malware infection, it's best security practice to disable UPnP.

If port forwarding is an essential requirement (if you use VoIP programs, peer-to-peer applications, game servers, etc) it's better to manually forward each port so that you have control over each established connection).

By default, most new routers come with UPnP enabled and many users are unaware that they're at risk of a malware infection or a data breach.

The graph below indicates the number of devices with UPnP enabled compared to the total number of analyzed devices in each category. As you can see, routers are at the highest risk of being targeted in a UPnP attack.

Common devices with UPnP enabled
Common devices with UPnP enabled

If you don't have an essential need for the UPnP feature, you should disable it.

Is UPnP Dangerous?

Though the UPnP protocol is safe, it can facilitate insecure connections. A UPnP protocol could permit devices with critical vulnerabilities to connect to your network and sensitive resources.

The U.S Department of Homeland Security urged all businesses to disable their UPnP following a cyberattack in 2013 impacting tens of millions of devices. Though this was about 8 years ago, UPnP-related cyberattacks are still being detected today.

To prevent such infectious connections from occurring, the entire attack surface associated with a UPnP connection must be kept updated with the latest patches. This includes routers, firewalls, antivirus software, and all IoT devices that are to be connected.

The National Institute of Standards and Technology (NIST) hosts a continuously updated list of Common Vulnerability Exposures (CVEs) for popular devices and software solutions. Security teams should regularly refer to this list to be aware of any new patch requirements impacting existing or prospective UPnP connections.

The NIST national vulnerability database can be accessed here.

More details about UPnP-specific vulnerabilities can be found on the Carnegie Mellon University website.

If despite the very real risks, you still wish to leave UPnP enabled, refer to the updated UPnP security specifications outlined by the Open Connectivity Framework.

How to Disable UPnP

The process of disabling UPnP is unique for each router. Perform a search online for instructions for your specific router.

Search the following phrase in Google:

How to disable UPnP for [your router name]


The general process is as follows:

  1. Enter your router's IP address (home network) as a URL in a web browser and hit Enter. If you don't know what your router IP address is, follow the instructions in this article.
  2. Select Advanced and then click NAT Forwarding.
  3. Disable UPnP connectivity.

UPnP should also be blocked at the internet gateway to prevent unauthorized devices from accessing ports 1900/UDP and ports 2869/TCP (for Windows). To maximize security, all ports should be blocked except those necessary to run the business - usually port 80/TCP is utilized on a daily basis.

How Can Cyber Attackers Exploit UPnP?

In general, router security policies are quite good at blocking hostile external connections, and an up-to-date firewall increases this resilience. But UPnP is capable of bypassing these security barriers by allowing unauthorized devices to 'poke holes' through firewall policies to established persistent malicious connections.

Such an attack begins with a malware injection which commonly occurs via a phishing campaign. After a Trojan (or worm) is clandestinely installed, it bypasses the router's firewall to establish a hidden backdoor for 24/7 remote access by cybercriminals.

Backdoors can remain undetected for several months - giving cyber attackers plenty of time to do a lot of damage.

Threat actors can do the following through a webserver backdoor.

Examples of UPnP Cyberattacks

Since the invention of Universal Plug and Play in 1999, there have been growing concerns about the security issues of the technology. The F.B.I even issued an official warning about the potential exploits of UPnP technology and Internet of Things (IoT) devices.

These warnings have been corroborated by the many cyberattacks that were made possible through UPnP technology

Some famous UPnP related cyberattacks are outlined below:

Flash UPnP Attack

First discovered in 2008, the Flash UPnP attack is a type of cyberattack that is autonomously executed when a user interacts with a malicious SWF file (specially crafted Flash applet) running on a web page.

This action triggers a silent step attack in the background where the victim's router forwards its ports, exposing its connections to the entire internet.

Though the name might imply otherwise, Flash UPnP attacks are not associated with any Flash vulnerabilities

An enabled and updated firewall will give you the highest chances of defending against Flash UPnP attacks, though it is not guaranteed.

Mirai Botnet Attack

In 2016, cybercriminals executed a colossal Denial-of-service (DDoS) attack by compromising a network of IoT devices (mainly CCTV cameras) through UPnP technology. The cyberattack was so big, it caused an internet outage in most of the United States East Coast.

Pinkslipbot Attacks

The banking Trojan Pinkslipbot also knows as Qakbot and QBot, exploits UPnP to infect its victims. Infected machines are then used as HTTPS-based proxies to control servers to hide the malicious activity being carried out.

Plinkslipbot malware steals banking credentials from US financial institutions using man-in-browser attacks and password stealers.

This family of malware was first discovered in the late 2000s and it's still active today.

UpGuard Helps Businesses Mitigate Data Breaches

You may keep your cyber defenses updated with the latest patches, but your vendors may not. In fact, vendors commonly overlook their security posture which is why third-party branches and supply chain attacks account for almost 60% of all data breaches.

This formidable statistic can be flattened by implementing a third-party attack surface monitoring solution such as UpGuard.

UpGuard detects critical vendor vulnerabilities which include unpatched third-party software. UpGuard also offers vendor data leak detection and remediation to shutdown exposures before they develop into data breaches, further depressing the risk of third-party breaches.

Find out if you're at risk of a data breach, click here to request your FREE security score now!

Free

UpGuard logo in white
UpGuard free resources available for download
Learn more

Download our free ebooks and whitepapers

Insights on cybersecurity and vendor risk management.
UpGuard logo in white
eBooks, Reports & Whitepapers
UpGuard free resources available for download
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Abstract shapeAbstract shape

Related posts

Learn more about the latest issues in cybersecurity.
Deliver icon

Sign up to our newsletter

Get the latest curated cybersecurity news, breaches, events and updates in your inbox every week.
Abstract shapeAbstract shape
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan ratingAbstract shape