Universal Plug and Play (UPnP) is something that all of us have probably come into contact with without even realizing it. If you’ve ever bought a new printer and noticed that your computer, phone and tablet are all able to recognize the device automatically, you’ve lived UPnP. If you fancy playing that song from your phone a little louder by broadcasting it to Alexa or some other wireless speaker, that’s UPnP.
Often paired with another widely used acronym IoT (internet of things), UPnP was designed simply to make communication between devices simpler and more convenient. UPnP, in short, helps to automate the process of device discovery and connectivity across a network.
However, with data breaches on the rise and a more security-conscious population, is UPnP safe? First, we need to explain briefly how it works.
How Does UPnP Work?
From the perspective of a consumer, UPnP is the simplest thing in the world. You bring home a new device, connect it to the network, and suddenly all the other devices on that network are able to communicate with it automatically. All the dirty work is done behind the scenes. If we were to break it down and look at what was actually happening, we would see the following:
- Device joins the network
- Device grabs an IP address
- Device grabs a name and appears under that name on the network
- Device reaches out to other devices on the network and communicates
It’s important to note that an IP address is not a pre-requisite for UPnP, as many Internet of Things related devices (such as smart light bulbs and smart coffee machines) can communicate over Bluetooth of Radio Frequency Identification (RFID).
The Danger of UPnP
Many claim that UPnP, by design, is insecure. It is a protocol that is designed to automatically open ports into a firewall and allow an outsider to access a hosted server on a local machine that is protected by that firewall.
This can be compared to fixing an industrial lock onto a door guarding all your valuable items and leaving the key in the lock for anyone to use.
In that sense, UPnP effectively makes firewalls useless. Any trojan, for example, could set up a listening IRC server, RAT server or something equally as malicious and request that the firewall opens the port. All in all, not ideal.
UPnP Security Risks
There are a number of common security risks associated with UPnP that many cite when recommending that UPnP is disabled.
Interestingly, in 2001 the FBI’s National Infrastructure Protection Center advises that users disable UPnP because of a buffer overflow in Windows XP. Many people refer to this recommendation when citing why UPnP is potentially dangerous.
However, this issue isn’t actually anything to do with UPnP itself and, after the bug was fixed by a security patch, the NIPC quickly corrected their advice.
Baldy Implemented UPnP on Routers
A lot of the problems associated with UPnP threats can be linked to security issues during implementation. Router manufacturers historically have not been good at securing their UPnP implementations, which often leads to the router not checking input properly. Malicious applications can therefore quite easily exploit bad UPnP implementations to run commands or redirect network traffic.
Malware that Uses UPnP
Common malware, such as Trojans, viruses, worms and more, can make use of UPnP once they have infected a computer on your local network. UPnP might allow such programs to bypass security protocols and software that the router would usually block. UPnP essentially assumes that all programs are legitimate and allows them to forward ports. This is a genuine issue that many are concerned about and, unfortunately, if this is a sticking point for you then you will probably have to disable UPnP.
Flash UPnP Attack
You would think that it is only malware that can abuse UPnP in this way, but the Flash UPnP Attack seems to invalidate this idea. If you were to access a website running a particular Flash applet, that applet can send requests to your router to forward ports. Fortunately, if this does happen to you, having a firewall in place will prevent the attacker from exploiting any vulnerabilities in your network services.
On some routers, however, Flash applets can cause serious damage by changing the primary DNS server with a UPnP request. This could end up redirecting your traffic to a different website, setting up endless possibilities for data theft and fraud.
Should You Disable UPnP?
Ultimately, it is a matter of opinion. UPnP is convenient but does bring with it some quite serious security flaws, some of which cannot be mitigated by security solutions. It’s our recommendation that if you don’t use port forwarding at all, then you should disable UPnP. If you use port forwarding occasionally, then you should consider forwarding without the use of UPnP, which is entirely possible.
The heavy port forwarding users will have a decision to make. Are you willing to give up security for the convenience of UPnP? The chance that you will be compromised through UPnP is fairly small, but the consequences could be great. In the end, it’s down to you!
Are the Concerns Over UPnP Security Legitimate?
Whilst it is usually recommended that you disable UPnP on your router (as many do out of principle), some have questioned whether this is necessary. When UPnP first came onto the scene in 2011, there were some glaring implementation issues that allowed configuration from the internet. This meant that anyone could open any port on it. Over the last decade, however, the software vulnerabilities in the routers have been patched numerous times with security in mind.
UPnP, therefore, is not inherently dangerous if your router is up to date and has all the latest firmware updates, and your connected devices are free of malware. UPnP becomes an issue if a connected device is infected with malware, as it can spread to your local devices. However, if this is the case, most malware doesn’t need UPnP to be enabled to do this in the first place.
So, What Can You Do?
You can disable UPnP on your router if you want peace of mind. However, most of the time, if an attacker wants to get inside your network and cause havoc, they don’t need UPnP to do it. In fact, cyber-attacks are so commonplace now, it’s not a matter of if it will happen to you, it’s a matter of when.
Many IT teams and tech-conscious people hate the idea of having to admit defeat to cyber-attackers. But the sad truth of the matter is that the attackers will always be able to navigate the security defences.
So, what can you do?
You can keep an eye on what the attackers are after in the first place, the data. Monitor interactions with data using Lepide Data Security Platform that can detect anomalies and report on changes being made to critical files and folders, including copy events.
For a sneak peek at how Lepide Data Security Platform helps to monitor user behavior with files and folders, schedule a demo of the solution today.