UPnP - The (almost) Forgotten Vulnerability

Category: Hardware , Security

It was an awkward moment in 2006 when one of the most useful and popular networking features ever invented was discovered to also be very useful to hackers. Some vendors got busy on the problem, improving their product and making it more difficult for bad guys to exploit it. But hundreds more deliberately ignored the threat. Read on find out if you are exposed to the UPnP (Universal Plug-N-Play) vulnerability...

UPnP: Are You Exposed?

Router manufacturers who decided to do nothing when alerted to the UPnP problem said “We haven’t seen any evidence that hackers are actually exploiting this vulnerability, so we’re not going to do anything about it.” They were wrong.

Now we have plenty of evidence that hackers are exploiting Universal Plug-n-Play (UPnP) to conceal vast botnets of compromised routers and other Internet of Things (IoT) devices. Akamai, the global content distribution network, has published findings of its research into UPnP exploits, and the results surprise and concern many security experts.

Just as you may not recall the dark age before home refrigerators defrosted themselves, it’s common to forget the nightmares of home computing before Universal Plug-n-Play. Getting a PC and a new printer to work together might take an entire morning of fiddling with drivers, print spool servers, and other obscure things. With UPnP, you just connect a new printer to a PC with a USB cable and let the two devices work things out on their own. “Plug and play” is so taken for granted now that it hardly merits a line in a list of product features.

UPnP Router vulnerability test

UPnP is a networking protocol that helps newly installed devices configure themselves and communicate with other devices on a LAN – a local area network such as your home network. UPnP also enables devices to automatically open or close ports which are necessary for such communications. These UPnP features are widely implemented on consumer routers.

In 2006, researcher Armijn Hemel discovered that some vendors were improperly implementing UPnP in ways that enabled devices on the WAN (wide-area network, e. g., the Internet) to interact with devices on the LAN (e. g., your home network) without the permission of any human network administrators. Obviously, that’s not what you want (unless you’re a hacker).

Subsequent research sought to determine the scope of this problem. In 2013, it turned out to be more than 1,500 vendors, representing thousands of device models and more than 80 million vulnerable installed devices. “Awkward,” indeed!

UPnP, Proxy Servers, and the Men In Black

Akamai discovered about 65,000 UPnP-vulnerable routers that have been compromised in a unique way. Hackers have inserted bogus entries into the Network Address Translation (NAT) tables of these routers. The bogus entries turn the routers into proxy servers.

Bear with me, the next paragraph is a little bit geeky, but it explains why you don't want your router to act as a proxy server. (You may also want to view the video embedded here to get an explanation of the UPnP problem from security guru Steve Gibson.)

A remote hacker can send a command to a compromised port on a router and it will be passed along to either an internal IP address on the LAN or an external IP address on the Internet/WAN. In the former case, the hacker may gain full control of a machine on the LAN. In the latter case, the destination address out on the Internet may be the target of a hacker’s attack or another “UPnProxied” router, ready to further obscure the true origin of the command. Chains of proxies may be hundreds or thousands of compromised routers long, making it impossible to track the bad actors down.

If a cyber-attack appears to come from your home router, the FBI may soon spoil your day. (The Men In Black have been known to open doors without knocking.) While you try to explain that you know nothing about that international bitcoin hacker gang, the bad guys move their nefarious activity to another router on their proxy network.

The UPnProxy exploit can also expose a router’s administrator console to an attacker out on the Internet, even if the router has been configured not to allow remote access. The exploit makes it appear to the router that the entity trying to log in to the administrator console is on the home network/LAN even though it is not.

A UPnProxy network can serve the nefarious needs of other botnets, disguising the origins of DDoS (distributed denial of service) attacks or massive brute-force password cracking campaigns. It may hide the sources of spam or malware, phishing sites and “poisoned” sites where visitors get a silent download of malware. State-sponsored intelligence agencies may use the UPnProxy technique to hide their online shenanigans.

Then there are the good uses for UPnProxy. Akamai found one proxy network being used to allow Chinese Internet users to evade their nation’s Great Firewall and connect to news and other information offered by the outside world. Dissidents also use the proxy network to organize and communicate undiscovered by their repressive governments. But mostly, the UPnP vulnerability is a gigantic, scary problem.

What Can You Do?

Discovering whether your own router is UPnP-compromised is a geeky task beyond the skills of most consumers. One option is to check Akamai’s list of 400 router models from 73 vendors (buried in its report) that Akamai’s researchers have identified as exposing UPnP services via the Internet, indicating they may be vulnerable to attacks.

Or you could use Steve Gibson's Universal Plug n'Play (UPnP) Internet Exposure Test. To do so, go to the ShieldsUP! page, click the Proceed button, and then click the big orange button that says GRC's Instant UPnP Exposure Test.

If the results indicate that your router is exposed, you should take action. If your ISP provided the router, ask them to update the firmware or replace it. If you purchased the router, you should consider doing likewise.

Your thoughts on this topic are welcome. Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 22 Jun 2018


For Fun: Buy Bob a Snickers.

Prev Article:
[HOWTO] Protect Your Router Now

The Top Twenty
Next Article:
A Major Victory for Privacy Rights

Most recent comments on "UPnP - The (almost) Forgotten Vulnerability"

Posted by:

UNITARY
22 Jun 2018

Follow-up advice:

While you are at the ShieldsUP! page, carry out the other offered vulnerability tests.

If you are protected, ShieldsUP! will tell you that, from the point of view of a hacker, your PC does not exist.


Posted by:

Ole
22 Jun 2018

Thank you for your Shields-Up page link to test this machines UPnP vulnerability. The Gibson's Research test did not get a response from this machine :-)


Posted by:

Chris
22 Jun 2018

Thank you; I appear well-enough hidden....for now!


Posted by:

Denis
22 Jun 2018

Thank you for another great article Bob. My router passed the test with 'No response'.


Posted by:

Jay R
22 Jun 2018

Yea! My PC passed. Thank you, Bob!


Posted by:

Normintura (Australia)
23 Jun 2018

Am I also at risk if I only use my mobile phone's hotspot for internet connection? I don't have a router as such. Thanks for your articles, great stuff.


Posted by:

Egbok
23 Jun 2018

Thanks Bob! Clicked the Security Now video, info plus info, held me for the whole thing. Thanks Again!


Posted by:

Robert T Deloyd
23 Jun 2018

No problem with my router...
I think I'll save the link you provided to the ShieldsUP! page... It looks mighty useful!
Thanks :)


Posted by:

Liz
23 Jun 2018

Thanks so much, Bob. I ran all three tests at Shields up (including the two recommended for newcomers) and they all came out perfect. Not sure how that happened! but feel so much better now.


Posted by:

MmeMoxie
23 Jun 2018

Great article and it was wonderful to see Steve Gibson doing what he does best. . .Teaching others about Security and Safety.


I have been using Shield's Up for almost 20 years now. I became aware of Steve Gibson when he first discovered "Spyware" on Real Player, back in the 90's. It was Gibson that coined the term, "Spyware."


Gibson's Shield's Up program is a definite plus for any computer user. It so easy to use and tells you whether you are Stealth or not. The optimal goal is to be Stealth. Anytime, I get a new component added to my PC, I go to Gibson's Shield's Up to check that I am Stealth. I have been doing this for years. Plus, there are some very interesting articles programs by Gibson, himself on his site. The are well worth reading and downloading the programs..


Bob will admit, Gibson is a genius and still writes in Assembly Code to this day. That code was used at the beginning of coding for computers. The programs were small but well written. They took no real space from your Hard Drive, due to Hard Drives being so small in storage space, most of the Hard Drives were only 540mbs or smaller.


I purchased my first computer in Sept. 1996. It came with a 1.3 GB Hard Drive which at that time was monstrous. It was a Western Digital Hard Drive. I was so proud of my PC. But, I had major issues with this computer and the Motherboard died within 6 months. I was sent out a new computer and this one had a Seagate Hard Drive of 3.43 GB.


Even though my first computer's Motherboard died, I did like the Western Digital Hard Drive. Since that time, I always purchase a Western Digital Hard Drive, these days. They are an excellent product, in my book. When the Hard Drive in my current PC died, I replaced the Western Digital 1TB Hard Drive with a Western Digital 2TB Hard Drive.


The old dead Hard Drive was manufactured in Dec. 2007 and it worked until March of 2018. That is 10 years of solid usage from one Hard Drive. Please, even though I love Western Digital Hard Drives, most will not give you 10 years worth of service, but they will work hard for you and give you at least 5 or 6 years minimum.


Oh, this current Hard Drive is 5400 rpm, not the faster 7200 rpm. I believe that the slower speed can give you longer hours of usage. The 10 year Hard Drive was a 5400 rpm Hard Drive.


Back to Steve Gibson, he is a computer genius and yet he can explain things to those who may not understand the basic technology of computers. Bob, also has this gift and I do believe it is a gift.


Thank you, Bob for taking this topic and sharing it with you readers. Thank you, for the Steve Gibson's talk with Leo LaPorte. For me, it was an excellent video to share and perfect for the topic.


For those who have seen my name on Bob's website Archives comments. I have the greatest respect for Bob Rankin, Steve Gibson and Leo LaPorte. These 3 men have been my mentors for over 20 years and I am so glad that I learned all about computers from these 3 men!!! I have always said, that I was self-taught but I learned from these 3 men.


Posted by:

SamG
23 Jun 2018

Hi Bob! Same as Normintura here. At&t mifi 4g mobile modem. Will test in a bit. Then there's my TP-Link repeater. Which I'll test too.
The modem usually only has a 15' range. With numerous other wifi broadcasters in range, this may be the last to get hacked.
How vulnerable is a Comcast hotspot? Or an At&t hotspot?


Posted by:

SamG
23 Jun 2018

Hi! again. Update. At&t Mobile modem and TP-Link repeater passed the Steve Gibson UPNP test. But maybe disabling UPnP in each settings helped. And using encryption other than WEP. Of which WEP encryption is easy to hack. Thanks Bob for sending us to Gibson's website. It has been a while.


Posted by:

Sharon Gogan
24 Jun 2018

Do you recommend purchasing Steve Gibsons SpinRite 6.0 is NTFS.I had my computer hacked once. Called Apple from my phone and they where able to get rid of the problem. I use the free Malwarebytes and that is all for my Apple Air. It would probably make me feel a little safer. I really don't understand much about this subject but Bob and Steve seem to be the experts. I'm ready to purchase if it is what my computer could use. Thank you for all your advice


Posted by:

Sharon Gogan
24 Jun 2018

Do you recommend purchasing Steve Gibsons SpinRite 6.0 is NTFS.I had my computer hacked once. Called Apple from my phone and they where able to get rid of the problem. I use the free Malwarebytes and that is all for my Apple Air. It would probably make me feel a little safer. I really don't understand much about this subject but Bob and Steve seem to be the experts. I'm ready to purchase if it is what my computer could use. Thank you for all your advice


Posted by:

Sharon Gogan
24 Jun 2018

PS My computer passed the Steve Gibson UPNP test


Posted by:

Hill
24 Jun 2018

Steve Gibsons SpinRite 6.0 is for fixing hard drives. He has a money back guarantee if it doesn't work. He is awesome!


Posted by:

Deb Severson
24 Jun 2018

did the test and it came back ok. Thanks so much for all you do and for the developer of that test! I am so impressed with the info I get from you and am so happy someone gave me your site to get on your email list.


Posted by:

Willie
24 Jun 2018

THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!

That's good News


Posted by:

Sharon Gogan
24 Jun 2018

Spinrite doesnot work on Apple Computers😟.


Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.


Article information: AskBobRankin -- UPnP - The (almost) Forgotten Vulnerability (Posted: 22 Jun 2018)
Source: https://askbobrankin.com/upnp_the_almost_forgotten_vulnerability.html
Copyright © 2005 - Bob Rankin - All Rights Reserved