Page 1 of 2 12 LastLast
Results 1 to 15 of 19
  1. #1
    Gold Lounger Roderunner's Avatar
    Join Date
    Dec 2009
    Location
    Scotland.
    Posts
    3,462
    Thanks
    16
    Thanked 216 Times in 183 Posts

    Exclamation UPnP networking flaw puts millions of PCs at risk

    Hi Loungers,

    Security researchers say that the danger stems from widely used technology found in routers and other standard networking equipment.
    Source http://news.cnet.com/8301-1009_3-575...f-pcs-at-risk/
    O wad some Power the giftie gie us, to see oursels as ithers see us!

  2. #2
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    UPnP has always been a security risk. I have always disabled it on my routers, during their initial configuration.

  3. #3
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,199
    Thanks
    48
    Thanked 986 Times in 916 Posts
    Steve said it was dodgy years ago.
    http://www.grc.com/unpnp/unpnp.htm

    cheers, Paul

  4. #4
    Silver Lounger
    Join Date
    Oct 2012
    Posts
    2,335
    Thanks
    13
    Thanked 267 Times in 260 Posts
    Well, it's new to Charlie, the article's author; she looks a little wet behind the ears yet.

  5. #5
    Ken Kashmarek
    Guest
    What about other network devices that have UPnP turned on?

    One such example is the Connected Data kickstarter project, Transporter (http://www.filetransporter.com/).

    From its list of FAQs:
    ------------------------------------------------------------------
    "What are the network requirements for using a Transporter?
    • ...you need a router with an available Ethernet port (RJ45), and that router must be properly connected to the Internet. ... The router needs to have DHCP turned on, as well as either UPnP or NAT-PMP. ..."
    -------------------------------------------------------------------

    I believe there are many network shared devices that may fail if the UPnP feature of the router is turned off. Which makes one wonder, why are these "suspect" features being placed on network components, when such features can be used to enable private networs to be compromised?

    I have disabled UPnP on my router, and everything is still working as expected, but then I have no devices or dependencies on the router UPnP feature. However, the Connected Data kickstart project may be in jeoporady if UPnP is not available (though they can use NAT-PMP, that capability may have the same issues as UPnP).

  6. #6
    WS Lounge VIP mrjimphelps's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    3,411
    Thanks
    447
    Thanked 405 Times in 377 Posts
    Quote Originally Posted by Ken Kashmarek View Post
    What about other network devices that have UPnP turned on?

    One such example is the Connected Data kickstarter project, Transporter (http://www.filetransporter.com/).

    From its list of FAQs:
    ------------------------------------------------------------------
    "What are the network requirements for using a Transporter?
    • ...you need a router with an available Ethernet port (RJ45), and that router must be properly connected to the Internet. ... The router needs to have DHCP turned on, as well as either UPnP or NAT-PMP. ..."
    -------------------------------------------------------------------

    I believe there are many network shared devices that may fail if the UPnP feature of the router is turned off. Which makes one wonder, why are these "suspect" features being placed on network components, when such features can be used to enable private networs to be compromised?

    I have disabled UPnP on my router, and everything is still working as expected, but then I have no devices or dependencies on the router UPnP feature. However, the Connected Data kickstart project may be in jeoporady if UPnP is not available (though they can use NAT-PMP, that capability may have the same issues as UPnP).
    Not sure I'd want to install the Transporter on my network. From their website:

    What makes Transporter truly unique is the ability to communicate and share files in a peer-to-peer fashion with computers and other Transporter devices located anywhere in the world. This ability eliminates privacy concerns, recurring fees, and all complexity associated with syncing files over the Internet. In other words, a storage solution finally designed to match our modern, social lifestyles.
    The Transporter looks like a hacker's dream, especially if you have UPnP enabled on your router.

    In all fairness, I haven't researched the Transporter at all; I simply gave my first impression after reading the above from their main web page.

  7. #7
    Silver Lounger
    Join Date
    Oct 2012
    Posts
    2,335
    Thanks
    13
    Thanked 267 Times in 260 Posts
    I don't think most will fail after they've configured themselves with the allowance provided by UPnP. Only new devices or programs that require port forwarding or politely close a port after use will fail without manual port forwarding.
    Also, even though you've disabled UPnP one should still visit Shields UP and test the router. This latest threat is specifically more intent on revealing WAN side access, not LAN side (which has been known about for a long time) and a small percentage of routers have been failing the test even though UPnP is disabled.

  8. #8
    Silver Lounger
    Join Date
    Oct 2012
    Posts
    2,335
    Thanks
    13
    Thanked 267 Times in 260 Posts
    Transporter sounds a lot like Gbridge and now they have Google Apps support so that takes it mobile in the Android world at least. I back up about 3 terabytes using Gbridge at the present, completely free...for the moment at least.

  9. #9
    Ken Kashmarek
    Guest
    Apparently, the Collected Data Transporter is routinely contacted by their server, to ascertain the status of the device, space usage, health of the device, and potentially for updates (that could be a busy server farm if millions of these devices are deployed). In other words, the device must always be available to the Internet (or the Internet must always be available to the device; it can't be used exclusively as a LAN device not accessible to the Internet).

    I expect that Collected Data must resolve how well their product will do in a market that constrains the use of UPnP. I have a router configuration that employs a USB attached disk drive in an external enclosure, and it is able to work LAN only or LAN and Internet connected (thus far, without UPnP I believe). Of course, it doesn't have the advertised privacy or security espoused by the Transporter (the supposed peer to peer abilities, which seems an oxymoron for the Transporter since it routinely communicates with a central based server).

    The Transporter has an onboard LINUX OS to manage the interactions and the disk is formatted as a LINUX File System. Apparently, a host computer based Connected Data application is necessary to access files on the Transporter. I expect that to be similar to how TrueCrypt provides access to encrypted volumes on your computer.

    What other devices and/or facilities fall prey to the UPnP vulnerability?

  10. #10
    New Lounger
    Join Date
    Dec 2009
    Location
    chicago,il
    Posts
    15
    Thanks
    0
    Thanked 0 Times in 0 Posts

    WAN side UPnP

    i think you guys are missing the point. this is a newly discovered defect in that UPnP is exposed on the WAN side of ~81 million devices [mostly routers] . No part of UPnP was EVER MEANT to be exposed to the EXTERNAL public Internet. It was only meant for private local control of devices and routers. Its exposure gives malicious hackers direct access to the inside of any exposed private network. turning off UPnP on the LAN side is a good idea, but does nothing to mitigate this defect. see https://www.grc.com/x/ne.dll?bh0bkyd2 for more detail.

  11. #11
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    4,753
    Thanks
    171
    Thanked 651 Times in 574 Posts
    Quote Originally Posted by alk444 View Post
    i think you guys are missing the point. ... turning off UPnP on the LAN side is a good idea, but does nothing to mitigate this defect.
    Did someone suggest that?

    Bruce

  12. #12
    New Lounger
    Join Date
    Dec 2009
    Location
    chicago,il
    Posts
    15
    Thanks
    0
    Thanked 0 Times in 0 Posts
    yes. ruirib and F.U.N. downtown.

  13. #13
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    Quote Originally Posted by alk444 View Post
    i think you guys are missing the point. this is a newly discovered defect in that UPnP is exposed on the WAN side of ~81 million devices [mostly routers] . No part of UPnP was EVER MEANT to be exposed to the EXTERNAL public Internet. It was only meant for private local control of devices and routers. Its exposure gives malicious hackers direct access to the inside of any exposed private network. turning off UPnP on the LAN side is a good idea, but does nothing to mitigate this defect. see https://www.grc.com/x/ne.dll?bh0bkyd2 for more detail.
    Did you read the original article?

    In most cases, network equipment that is "no longer shipping" will not be updated at all, exposing these users to remote compromise until UPnP is disabled or the product is swapped for something new. The flaws identified in the MiniUPnP software were fixed over two years ago, yet over 330 products are still using older versions.
    Disabling UPnP doesn't allow the security flaw to be exploited. What else do you want?

  14. #14
    Ken Kashmarek
    Guest
    Quote Originally Posted by ruirib View Post
    Did you read the original article?



    Disabling UPnP doesn't allow the security flaw to be exploited. What else do you want?
    What is probably necessary is that vendors stop shipping devices that "require" UPnP enabled. For example, the Collected Data Transporter requires UPnP to be enabled to find the devices on the network. As such, these products may engender a desire in consumers for their function and put them at risk for being exploited (Transporter is probably not the only devices as such; I use it as an example).

    From a vendor, I requested a guarantee, under pain of damages, that their device was private and secure, as they promoted. They would not and essentially ignored the question.

  15. #15
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    Quote Originally Posted by Ken Kashmarek View Post
    What is probably necessary is that vendors stop shipping devices that "require" UPnP enabled. For example, the Collected Data Transporter requires UPnP to be enabled to find the devices on the network. As such, these products may engender a desire in consumers for their function and put them at risk for being exploited (Transporter is probably not the only devices as such; I use it as an example).

    From a vendor, I requested a guarantee, under pain of damages, that their device was private and secure, as they promoted. They would not and essentially ignored the question.
    I was just replying to the implication made by someone who didn't even read the article in full. My router has UPnP disabled and does not reply to UPnP inquiries regardless of where they come from. I have no reason to think other routers are different. So I didn't imply anything, I stated unequivocally that disabling UPnP in my router removes any UPnP security risk. The recent article also implies that. In the two routers I have owned, this disabling made UPnP access impossible, from anywhere.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •