UPnP - The (almost) Forgotten Vulnerability
It was an awkward moment in 2006 when one of the most useful and popular networking features ever invented was discovered to also be very useful to hackers. Some vendors got busy on the problem, improving their product and making it more difficult for bad guys to exploit it. But hundreds more deliberately ignored the threat. Read on find out if you are exposed to the UPnP (Universal Plug-N-Play) vulnerability...
UPnP: Are You Exposed?
Router manufacturers who decided to do nothing when alerted to the UPnP problem said “We haven’t seen any evidence that hackers are actually exploiting this vulnerability, so we’re not going to do anything about it.” They were wrong.
Now we have plenty of evidence that hackers are exploiting Universal Plug-n-Play (UPnP) to conceal vast botnets of compromised routers and other Internet of Things (IoT) devices. Akamai, the global content distribution network, has published findings of its research into UPnP exploits, and the results surprise and concern many security experts.
Just as you may not recall the dark age before home refrigerators defrosted themselves, it’s common to forget the nightmares of home computing before Universal Plug-n-Play. Getting a PC and a new printer to work together might take an entire morning of fiddling with drivers, print spool servers, and other obscure things. With UPnP, you just connect a new printer to a PC with a USB cable and let the two devices work things out on their own. “Plug and play” is so taken for granted now that it hardly merits a line in a list of product features.
UPnP is a networking protocol that helps newly installed devices configure themselves and communicate with other devices on a LAN – a local area network such as your home network. UPnP also enables devices to automatically open or close ports which are necessary for such communications. These UPnP features are widely implemented on consumer routers.
In 2006, researcher Armijn Hemel discovered that some vendors were improperly implementing UPnP in ways that enabled devices on the WAN (wide-area network, e. g., the Internet) to interact with devices on the LAN (e. g., your home network) without the permission of any human network administrators. Obviously, that’s not what you want (unless you’re a hacker).
Subsequent research sought to determine the scope of this problem. In 2013, it turned out to be more than 1,500 vendors, representing thousands of device models and more than 80 million vulnerable installed devices. “Awkward,” indeed!
UPnP, Proxy Servers, and the Men In Black
Akamai discovered about 65,000 UPnP-vulnerable routers that have been compromised in a unique way. Hackers have inserted bogus entries into the Network Address Translation (NAT) tables of these routers. The bogus entries turn the routers into proxy servers.
Bear with me, the next paragraph is a little bit geeky, but it explains why you don't want your router to act as a proxy server. (You may also want to view the video embedded here to get an explanation of the UPnP problem from security guru Steve Gibson.)
A remote hacker can send a command to a compromised port on a router and it will be passed along to either an internal IP address on the LAN or an external IP address on the Internet/WAN. In the former case, the hacker may gain full control of a machine on the LAN. In the latter case, the destination address out on the Internet may be the target of a hacker’s attack or another “UPnProxied” router, ready to further obscure the true origin of the command. Chains of proxies may be hundreds or thousands of compromised routers long, making it impossible to track the bad actors down.
If a cyber-attack appears to come from your home router, the FBI may soon spoil your day. (The Men In Black have been known to open doors without knocking.) While you try to explain that you know nothing about that international bitcoin hacker gang, the bad guys move their nefarious activity to another router on their proxy network.
The UPnProxy exploit can also expose a router’s administrator console to an attacker out on the Internet, even if the router has been configured not to allow remote access. The exploit makes it appear to the router that the entity trying to log in to the administrator console is on the home network/LAN even though it is not.
A UPnProxy network can serve the nefarious needs of other botnets, disguising the origins of DDoS (distributed denial of service) attacks or massive brute-force password cracking campaigns. It may hide the sources of spam or malware, phishing sites and “poisoned” sites where visitors get a silent download of malware. State-sponsored intelligence agencies may use the UPnProxy technique to hide their online shenanigans.
Then there are the good uses for UPnProxy. Akamai found one proxy network being used to allow Chinese Internet users to evade their nation’s Great Firewall and connect to news and other information offered by the outside world. Dissidents also use the proxy network to organize and communicate undiscovered by their repressive governments. But mostly, the UPnP vulnerability is a gigantic, scary problem.
What Can You Do?
Discovering whether your own router is UPnP-compromised is a geeky task beyond the skills of most consumers. One option is to check Akamai’s list of 400 router models from 73 vendors (buried in its report) that Akamai’s researchers have identified as exposing UPnP services via the Internet, indicating they may be vulnerable to attacks.
Or you could use Steve Gibson's Universal Plug n'Play (UPnP) Internet Exposure Test. To do so, go to the ShieldsUP! page, click the Proceed button, and then click the big orange button that says GRC's Instant UPnP Exposure Test.
If the results indicate that your router is exposed, you should take action. If your ISP provided the router, ask them to update the firmware or replace it. If you purchased the router, you should consider doing likewise.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 22 Jun 2018
|For Fun: Buy Bob a Snickers.|
[HOWTO] Protect Your Router Now
The Top Twenty
A Major Victory for Privacy Rights
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- UPnP - The (almost) Forgotten Vulnerability (Posted: 22 Jun 2018)
Copyright © 2005 - Bob Rankin - All Rights Reserved