UPnP, Vulnerability As A Feature That Just Won’t Die

UPnP — in a perfect world it would have been the answer to many connectivity headaches as we add more devices to our home networks. But in practice it the cause of a lot of headaches when it comes to keeping those networks secure.

It’s likely that many Hackaday readers provide some form of technical support to relatives or friends. We’ll help sort out Mom’s desktop and email gripes, and we’ll set up her new router and lock it down as best we can to minimise the chance of the bad guys causing her problems. Probably one of the first things we’ll have all done is something that’s old news in our community; to ensure that a notorious vulnerability exposed to the outside world is plugged, we disable UPnP on whatever cable modem or ADSL router her provider supplied.

YouTube Shenanigans

Turning off the enabled-by-default UPnP in an older BT HomeHub pulled from the surplus router pile.
Turning off the enabled-by-default UPnP in an older BT HomeHub pulled from the surplus router pile.

You would think that with an inglorious history of UPnP exploits the days of routers automatically having it enabled would be behind us, but we’ve had a reminder from an unexpected source that this may not be the case. YouTube stars PewDiePie (controversial Swedish game reviewer and comedian) and T-Series (Indian record label) are duking it out for the coveted crown of most annoying most subscribers.  Fans of the Swede have it seems turned to nefarious tactics, first spamming the world’s exposed network printers, and most recently playing his videos on countless connected media players and televisions. It’s here that we meet once more our old friend UPnP, because in the most widely publicised of these attacks it is used by the miscreants as a vulnerability through which they can access Google’s Chromecast players.

Peeling Away the So-Called Hack

The media are of course reporting it as the work of elite hackers, no doubt wearing hoodies and dark glasses while feverishly banging out code on a green screen monitor. The truth is a little less glamorous and lies in a fortuitous confluence of wide open doors, owing more to simply taking up an opportunity gifted to them than it does to any notion of 1337 5k1lz. To unpick it we need to stand back and take a look at the protocols involved.

We know what hackers look like because the BBC had some on the telly just before Christmas!
We know what hackers look like because the BBC had some on the telly just before Christmas!

Universal Plug And Play is a protocol designed to ensure that networked devices for the home automatically discover each other and Just Work. Its intent is to free a non-technical home user from manual network configuration, and it does so by allowing devices to announce themselves with a standard XML device description containing information on their capabilities and the URLs required to access them. By its very nature it is a wide-open protocol with little in the way of security, instead it relies upon being connected to private home networks.

Many routers have historically enabled UPnP access to the Internet by default, meaning both that vulnerabilities within it can be exploited, and that devices with poor security can use it to request open ports to the outside world. The solution comes in turning off UPnP access in the router as we mentioned above, but sadly even this step is beyond most home users. Regular Hackaday readers will recall our reporting upon this topic before, the last time it made the more general news services.

Sure, Anyone Can Use My TV!

The BishopFox RickMote automated Chromecast hijacker from 2014. (GPL3.0)
The BishopFox RickMote automated Chromecast hijacker from 2014. (GNU GPL 3.0)

Behind this relatively weak line of defence lies the Chromecast. A convenient way to network your television using your phone or tablet as a client, it owes its ease of use to UPnP and is thus very straightforward to persuade to play a YouTube video for anyone with access to the network on which it sits. There is nothing new in exploiting it, so breathless media descriptions of an uber-hack are misplaced.

Given that so many home routers still have UPnP enabled and that a connected television is no longer the cutting-edge oddity it might have been a few years ago, it’s likely that the PewDiePie videos are but the thin end of the wedge. In the printer story linked above, our colleague Tom Nardi quipped an emerging industry of shady companies offering so-called printer advertising, add invasive advertising on the connected TV space to that undesirable future vision. When this happens we will no doubt see a lot of indignation, but the sad truth is that beyond pressing for as many people as possible to close down UPnP on their routers there is likely to be little that can be done about it.

Manufacturers often do not care about their obsolete products so are unlikely to release firmware updates fixing the problem on affected routers, and even if they did produce such updates there would in most cases be a requirement for them to be installed manually. We’d like to think that currently shipping routers do not have UPnP enabled by default and that a few years of hardware replacement cycles would make the problem disappear, but we have no evidence this is the case and somehow we suspect that might be a little much to hope for. Meanwhile all we can do is make as much noise about it as possible, keep the routers around us up-to-date and as secure as we can, and look smug-as-heck next time the story breaks into the public consciousness.

Header image: First-generation Chromecast, Ericajoy (CC BY-SA 2.0) .

24 thoughts on “UPnP, Vulnerability As A Feature That Just Won’t Die

  1. Since learning about this issue, I’ve been trying to find a way to disable UPnP and still use my Chromecast. Chromecast docs say that I must have UPnP enabled. Any way around this? Do I need to manually forward ports?

      1. (Oops reported comment above ment to hit reply admins ignore that)

        I can report same here. I’ve got 2 chromecast running in my home network (OpenWRT) and I disabled UPnP years ago. With that said I think the chromecast came first then OpenWRT then disabeling UPnP so it’s possible you need it enabled for a few seconds for chromecast to punch holes in the router ports and then you can disable UPnP.

        1. Possibly they say this because if my routers firewall was to be reset by something (firmware upgrade?) then the device would stop working until I re-enabled UPnP? It’s also possible Google just has no idea how their own product works or what people use it for / want from it. As can be seen by their constant removal and addition of products that are effective duplication of other things they offer.

    1. Most router I’ve used so far don’t allow UPnP to pass through the WAN. So while this might have been true in 2000 or so, you should be pretty safe now. Typically, a well made router will accept UPnP request to open port when it comes from your LAN (inside your network), and ignore such request when it comes from the wild wild web.
      In that case, unless one of you device is hacked by any other mean (and in that case, UPnP is the least of your issue), UPnP is not an issue.
      Please notice that UPnP is based on multicast UDP packet that are never allowed in the Internet, so their is no way for an attacker to enumerate your device from outside, he can only *guess* (unless you have a broken router, see below for testing them).

      One very simple way to check this is to emit a UPnP “open port” request to your public IP address from the internet (not your LAN obviously). Then run a port scanning from the internet on your public IP address. If the requested port is open, your router UPnP implementation is broken and should be disabled.

      You can use many online service that can do this scan for you:
      https://www.grc.com/x/ne.dll?rh1dkyd2
      https://www.speedguide.net/portscan.php?udp=1&port=1900
      And you can test the usual TCP (bad) implementation of UPnP for bad router (on port 5431, 2048, 2869, 1900)
      https://www.grc.com/x/portprobe=5431

      By the way, if you plug unknown device on your LAN network, it *can* ask to open a port. That’s not a problem per se if the device is correctly secured. If you don’t want this behavior, the device *must* allow to disable UPnP and let you open a port by yourself. If it does not, you should return the device since it’s badly coded and in that case, I wouldn’t trust its security on my network.

      Also, when you unplug the device, you should go to the router’s open port page to ensure that no port where left opened.

    2. Yeah, this article doesn’t seem to point out internal vs external UPnP. Internal to your network, UPnP is great because stuff just works. For some crazy reason UPnP used to be able to be configured from the external network.

  2. “We’d like to think that currently shipping routers do not have UPnP enabled by default”…

    Why would a Chinese manufacturer disable UPnP? They are probably owned by their government, which has a vested interest in remote access to computer networks around the world.

  3. I still don’t get how they did this!

    I know you can punch holes in the firewall, using UPnP. But you can only punch these hole if you are (already) inside the private network. So you can use it as an escalation tool.

    1. If your are already inside, there is no need of UPnP anymore, any UDP based hole punching will work. The only way they could have done this is if their router is accepting UPnP request from the WAN which is… dumb… but not impossible.

  4. You are confusing UPNP, DLNA and multicast in this article. UPNP (router) = automatic port forwarding. DLNA = control of media servers and displays in network. multicast = discovery of devices in network. Besides chromecasts don’t use and work just fine without UPNP, like with an OpenWRT or pfSense router.

    1. So make one vulnerable system rely on another proven vulnerable system. Can’t see anything going wrong with that…

      More to the point, the physical security aspect has already been covered by the fact you put the thing on your network and went through the pairing/setup routine. It’s not like we’re talking about a rogue device here.

  5. I ❤ UPnP. Turning it off may well be the best thing to do if you have certain
    insecure devices, but it’s still a hack, and UPnP or something like it is very much needed for reliable P2P stuff.

    If there’s malware or a security bug INSIDE your network already, well then you’re already hosed, and any problems are the fault of the malware or the bug. The real problem here is manufacturers making closed source stuff we can’t update, and then not updating it themselves either.

    UPnP is only supposed to be controllable from within the network (Although a few routers could be controlled extrernally, again due to a bug).

    Same as any security story. More lines of code is more ways for the bad guys to get in, but I’m pretty sure far more people have had their ink cartridge randomly dry up than have had their ink wasted by a hacker.

    1. If you already inside you still want to restrict the damage that can be done. Also untrusted device should use a guest VLAN (and WLAN). Typical a guest vlan has only access to HTTP(s) and DNS and no way to other critical devices on the network (separate VLAN) nor you want the device to add portforwards to internal services (like a NAS).

      security isn’t just one layer it is multiple layers. Just like the bank, they have a lock on the frontdoor, a lock on the door to the offices and a separate room with a big vault with another big lock. Once inside the bank you still need to gain access to the offices and the vault. even if you walk alogn with a person inside the offices there is a still a locked vault. But be sure the vault hasn’t any windows or weak plasterwalls :)

  6. If device doesn’t allow you to manually set port which it will use and insists on uPnP I’d throw that device in the trash because it’s poorly designed and it’s developers think that their convenience and laziness is more valuable than your security.

    1. I don’t know how to tell you this, but the vast majority don’t allow this. So I’m guessing you don’t own any Internet-connected consumer tech from the last decade or so.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.