Proof that UPnP on home routers is bad

January 14, 2008

I said it for years it is a bad idea to enable UPnP on systems that protects your local network and/or PC from the internet. With UPnP any program on you PC is able to open “firewall” ports on your home router without requiring a user interaction. UPnP may has its purpose at streaming media within a secure network, which I’m not totally convinced anyway, but letting any malicious or bad written program open your PC/network for the whole internet is plain stupid. Ok, this is all known for years – why now this post?

Some folks at GNU Citizen have created a flash swf file capable of opening open ports into your network simply by visiting an malicious URL. This is done via the UPnP functionality common home routers provide. As flash is installed on the majority of personal computers this is a significant attack vector, specially since a “flash ad” can be inserted quite easily into trusted websites or by hacking such a website.

As this is not a new thread I can just repeat my normal statement when it comes to setting up a home router:

  • Unbox
  • Throw the disk away
  • Plug in your machine, Turn on the router and navigate to the Web-GUI
  • Turn off UPNP
  • Change default name and password, set WPA-PSK
  • Check that remote management is disabled
  • ….


RSS feed for comments on this post. TrackBack URI

  1. I totally agree… UPnP was also one of the first things I deactivated on my router.
    As it happens, just after reading this blog-entry, there also appeared an article on heise about this issue:
    (german only)

    btw. if you plan on buying a new router. check that it is possible to run DD-WRT on it…
    The best router firmware out there…

    best regards from Taiwan 😉

    Comment by alex — January 15, 2008 #

  2. […] last week I posted about the UPnP attack vector on home routers and now Symantec is reporting active attacks on Mexican internet users. The purpose of this attack […]

    Pingback by Robert Penz Blog » Active attacks on home routers underway — January 23, 2008 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress
Entries and comments feeds. Valid XHTML and CSS. 36 queries. 0.060 seconds.