Universal Plug and Play

Router Security Check

 
 

Frequently Asked Questions

This document answers the questions that are most frequently asked in relation to the UPnP security flaws. If you have any other questions, please direct them through the comments thread of this blog post and we will respond.

What do I need to know?

A number of security flaws have been discovered in Universal Plug and Play (UPnP), which enables network-enabled devices such as routers, printers, network-attached storage (NAS), media players and smart TVs to communicate with each other. These flaws enable successful attackers to remotely access data stored on affected devices, for example personal or business information stored from backing up to a NAS. In some cases, attackers can get past the firewall to launch an attack on connected machines such as personal computers.

Does this affect me?

Based on Rapid7’s research, it appears that approximately 40-50 million UPnP-enabled devices are vulnerable to attack via these flaws. With such a high number, there is a possibility you could be affected. You can check whether your router is exposed to the internet using this site. To check your internal exposure, you can use our free, easy-to-use tool, ScanNow for UPnP.

How easy is it for attackers to take advantage of these flaws?

At the moment it’s fairly time-intensive and difficult to exploit the newly discovered flaws remotely. However, there will likely be ready-made attack tools or “exploits” available for these flaws soon. Once that happens, it will be easy for attackers to take advantage of the flaws. It’s not hard to find potentially affected devices as the devices themselves are designed to be easy to find, for example when you are adding them to your home network.

What can I do to protect myself?

The issues identified with UPnP are far-reaching and require action on the part of internet service providers (ISPs), business users, and home users.

Internet Service Providers

ISPs should review any equipment that they are providing to customers to verify that UPnP is not exposed on the WAN interface. If any of the equipment is affected, one of the following solutions should be considered:
  • Pushing a configuration update that disables UPnP across the subscriber base
  • Pushing a software update that removes UPnP capabilities from the device
  • Replacing customer equipment with a device that can be configured securely

The last option may be cost prohibitive due to the scale of the customer base. An ISP with 5 million affected customers and an average device costs of $5 would be out $25 million in equipment alone, not counting shipping costs, delivery, testing, installation, and customer support calls that would ultimately result.

A short-term work-around is to block access to the UPnP services through access control lists:
  • Blocking inbound traffic on UDP port 1900 would prevent exploitation of SSDP-based attacks (libupnp flaws)
  • Blocking inbound traffic on specific TCP ports can be effective if the vulnerable devices use a static port

Business users (enterprise and small businesses)

Enterprise organizations should verify that all external-facing devices do not expose UPnP to the internet. Rapid7 is providing a free UPnP detection tool called "ScanNow", as well as Metasploit modules that can detect vulnerable UPnP services. If any equipment is found that exposes UPnP, the best option is to disable it, and if that is not possible, replace the device with a model that allows this.

A short-term work-around is to block access to the UPnP services through access control lists
  • Blocking inbound traffic on UDP port 1900 would prevent exploitation of SSDP-based attacks (libupnp flaws)
  • Blocking inbound traffic on specific TCP ports can be effective if the vulnerable devices use a static port

Also note that many network devices inside of the firewall are UPnP-enabled. Examples include network printers, IP cameras, storage systems, and media servers. Any devices found that expose UPnP should be reviewed for potential security impact. If equipment is found to use a vulnerable UPnP implementation, the vendor should be contacted to determine their timeframe for an update. If the UPnP service cannot be disabled and the vendor does not have an update, it may be prudent to segment the device from the rest of the network.


Home and Mobile Users

Home and mobile PC users should ensure that the UPnP function on their home routers and mobile broadband devices has been disabled. The free ScanNow tool from Rapid7 can help identify affected devices. If the device does not provide the ability to disable UPnP, the company that makes or sells the device should be contacted to see if an update is available that provides this capability. Worst case, users should replace vulnerable equipment with devices that do not support UPnP, or at least ones that provide the ability to disable it.


Is there no fix for this?

The challenge is UPnP is a component piece of software that runs on literally thousands of different types of devices (about 6,900 in fact). And there are multiple issues with it. There are fixes available for the software libraries, but the device manufacturer for each affected device needs to take these fixes and build updates for each affected product. We don’t expect this to happen anytime soon. Your best bet is to disable UPnP or use devices that avoid it entirely.

How do I disable UPnP?

The process for disabling UPnP varies depending on the device, and more than 6,900 different types of devices are affected. We recommend you search the internet for “Disabling UPnP on [insert device name and model, which you should find on the device itself].” If this does not return useful information, we recommend you contact your device manufacturer, or in the case of routers, your internet service provider may offer some guidance.

You mention ISPs above. How are they involved?

In many cases ISPs give customers a router when they sign up for internet services. Many of these devices could be vulnerable to attack through the numerous flaws found in UPnP. Advice for ISPs in this situation is included above.

Which devices are affected?

Over 6,900 different devices are affected. You can test whether your devices are affected for free with ScanNow for UPnP. You can browse lists of the types of devices affected by each of the three sets of security issues as directed below

Portable SDK for UPnP Devices (libupnp)

The list below was obtained by querying the SOAP device description of approximately 1 million UPnP-enabled devices. The vendor, product, and versions may not be accurate as a result of this method. Due to size constraints, the full list of vulnerable products has been placed online. Please follow this link to download the full list. See the CERT/CC bulletin for more information.

MiniUPnP

The list below was obtained by querying the SOAP device description of approximately 1 million UPnP-enabled devices. The vendor, product, and versions may not be accurate as a result of this method. Due to size constraints, the full list of vulnerable products has been placed online. Please follow this link to download the full list. These issues were resolved in MiniUPnP version 1.4.

SOAP API Exposure

The list below was obtained by querying the SOAP device description of approximately 1 million UPnP-enabled devices. The vendor, product, and versions may not be accurate as a result of this method. Due to size constraints, the full list of vulnerable products has been placed online. Please follow this link to download the full list. Please see the CERT/CC bulletin for information.