How to Close Gaping UPnP Router Security Holes
An assortment of vendors produce UPnP-enabled devices that use libupnp, an open source project that has its roots in software tools Intel developed but no longer maintains or supports. A large-scale security project undertaken by Rapid7 turned up a number of security issues afflicting Internet-connected UPnP devices, including multiple buffer overflow vulnerabilities.
The year 2013 is quickly turning into the year of cyberattack awareness, and a common router protocol is one of the latest security holes that urgently demands your attention.
The UPnP, or Universal Plug n Play, protocol is designed to let networked devices find each other easily. The idea is that you should be able to plug a networked device into a router, and the router will easily discover the device.
Problems potentially arise because UPnP isn't authenticated. This lack of authentication has kept things simple for connecting printers, streaming media players and other devices in the home and office.
However, it has also meant that routers can be wide open to connections from anywhere -- particularly because UPnP can function across a WAN network.
Shut It Down
Between 40 million and 50 million IP addresses could be susceptible to attack through multiple UPnP methods, according to a white paper released in January by security firm Rapid 7, which has just completed a large-scale security project.
One method discovered is penetration via SSDP (Simple Service Discovery Protocol) buffer overflow vulnerabilities in a version of UPnP called "Portable SDK for UpnP" (libupnp).
Patches have been released by some router vendors, but in many cases existing network equipment won't be updated, according to Rapid 7.
The Department of Homeland Security's Computer Emergency Readiness Team has suggested computer users disable UPnP.
Patch It Up
There are steps you can take to close this hole, however, and to address other potential UPnP security issues:
Step 1: Identify the external vulnerabilities.
Run the free tool published by Rapid 7 that identifies UPnP Internet-exposure vulnerabilities on your network by browsing to the Rapid 7 website page and clicking on the orange "Scan my Router" button. Then note the results.
Step 2: Identify the internal vulnerabilities.
Download the Rapid 7 ScanNow for UPnP product from the same website. This program identifies internal network vulnerabilities. Click on the "Download Now" button and follow the prompts to install and run. Accept the internal IP address defaults and allow the scan to complete. Then note the results.
Step 3: Review the results.
If either of the two scans show no vulnerabilities, no action is required for this exploit. If vulnerabilities are indicated, proceed to the next step.
Tip: Internet-exposure vulnerabilities are more serious than internal network vulnerabilities.
Step 4: Block inbound traffic on UDP Port 1900 to prevent SSDP attacks by accessing the networked router's configuration menu with a Web browser.
Enter the router's IP address in the browser address bar. Then enter the router User ID and Password. Choose the Advanced section and then Block Services, or similar.
Enter the Protocol, in this case "UDP," and then the port, in this case 1900. Save the configuration.
Tip: A common User ID is "admin" and password can be blank or "password." An Internet search for your router model can provide authentication information.
Step 5: Disable UPnP altogether to prevent current SSDP and possible future attacks.
Access the router's Advanced section and choose "Turn UPnP off," or similar within the specific UPnP area of the router's configuration. Then save the configuration.
Tip: Look for any vendor-provided updates for your router, network printer, media server, security cameras and so on, by searching for the model numbers on the Internet.
Apply any patches by following the vendor-provided instructions.
Discard and replace any equipment that is shown to have UPnP vulnerabilities where the vendor doesn't plan an update or, in the case of a router, where UPnP can't be turned off.
Contact your Internet service provider for replacement equipment if the equipment was supplied and is owned by the ISP.
Want to Ask a Tech Question?
Is there a piece of tech you'd like to know how to operate properly? Is there a gadget that's got you confounded? Please send your tech questions to me, and I'll try to answer as many as possible in this column.
And use the Talkback feature below to add your comments!