DHS Makes It Official - Disable UPnP On Your Router

About time!

http://news.yahoo.com/exclusive-res...d-networking-gear-bugs-053410358--sector.html

 

If you disabled every vulnerable part of the internet, network capability and so on, you wouldn't be able to do jack. Not that I'm blowing the risk off, but good God, if a hacker wants in that bad, it won't matter what you harden or disable, he/she will get in. Why bother going through UPnP when Java exploits are still going strong and Oracle is all but inviting hackers to rip it to shreds. And why "About time!"? Is the situation more real or more serious when a government agency chimes in? Lol, it's a bit amusing that Linksys tells you to visit their website to see about affected devices...and the damn links on the site are broken and can't be clicked.

 

I can't agree with your assessment. Java can be installed and used, yet still be disabled by default in the browser. UPnP is turned on by default in way too many devices. Shortly after an earlier fiasco involving UPnP being exploited via flash, I turned it off on all my hardware, plus made specific rules for it in the firewall that both block it and alert me to any attempt to use it. Allowing a java exploit is at least partially a user mistake that a user can mitigate. UPnP doesn't require user interaction in order to be exploited. UPnP has no business being exposed to the internet. If the hardware vendors can't implement it properly, it needs to be disabled completely.

That utility that Rapid7 released to identify vulnerable devices has its own problems. First it needs java. Second, it connects out to way more sites than can be justified for registration purposes, which shouldn't be necessary either. These included:
74.125.226.226 thru 74.125.226.232, 5 different IPS.
208.111.135.24
208.67.220.220 Open DNS
8.8.8.8 Google DNS? which I don't use
204.232.250.209
74.125.133.95
There may be more but I killed the process at this point.

The online version they released for those who have a problem with the first versions need for java didn't work on my system.

 

My Router has UPnP disabled by "Default". I have had the Router for a couple of years and have not ran across any issues with having UPnP disabled.

 

Yes disable it, it is no good.

 

You clearly do not understand UPnP, or the advantages of automatically opening and closing ports on-demand. I wonder how many people that manually open ports ever bother closing them.

 

When a modem or router is manually forwarded to the PC and the app or service on the PC that used that port isn't running, that port is still closed to inbound traffic. I have ports forwarded on my modem and firewall for Tor. If Tor isn't running, those ports show closed when scanned.

The port forwarding on the modem/firewall/router can be made address specific, making it closed to all of the web except the IPs that require it. A software firewall on the PC can also restrict traffic to that port to a specific application or service.

In either case, it's safer than having malware or an exploited application opening that port without the user knowing it.

 

Having a port come up as closed is a massive "I actually exist" sign. If I run Tor the ports will be automatically opened, when I close Tor the ports will be automatically closed. This is superior to manually creating permanently open ports, whether software is listening to them or not.

Using the logic "disable it incase malware exploits it" is flawed, why not apply that to all software you use? Disable flash, disable your browser, disable your AV.

The only issue here is that some router vendors have a flawed implementation of UPnP that needs patched.

 

Stealthed is little more than an illusion. Closed is as secure as a port gets. When a port is forwarded on a router/modem/firewall, the port on the PC is visible from the web. If nothing is listening on that port, it appears closed just as it would if it were blocked by the router or firewall. With most PCs connected 24/7 on semi-permanent IPs, an attacker doesn't need to see a closed port to know you exist.

The browser, flash, and most software do not open ports thru your external devices and allow unwanted inbound connections. IMO, the convenience of UPnP is outweighted by the additional exploitable attack surface it creates.

 

If an attacker is randomly scanning IPs for ports and suddenly encounters a closed one it's an encouragement to probe that IP further, stealthed is not an "illusion" lol. It's a simple matter of appearing invisible to any potential attackers. It's the difference between showing someone your house and the locked door to try and crack open vs that person not even knowing you exist.

Oh please! You're acting as if exploitation is UPnP's sole purpose. It's EXACTLY the same as any other software program. I'll repeat myself again:

"The only issue here is that some router vendors have a flawed implementation of UPnP that needs patched."

 

Steve Gibson has added a test for router UPnP at his website grc.com. Go to the Shields Up section ( https://www.grc.com/x/ne.dll?bh0bkyd2 ) and proceed to run the test to see if you router is vulnerable. Thumbs up for Steve.

 

Nice! Thanks for the link. Apparently I'm not vulnerable (no surprise as this apparently affects only 2% of the IPv4 address space).

I also discovered the security now video about the issue through that link, quite interesting:
https://www.youtube.com/watch?v=wEa43qM4JjQ

 

Thanks for that information. I just ran the test on a router that has UPnP enabled, and it passed the test. I'd suggest anyone that is concerned run this test before just disabling it.

 

If you have UPnP enabled, then malware/hacker tools can use it to open ports as there is no whitelist of apps that is allowed to use that feature. I'd say that to have defence in depth, it would be better to disable UPnP.

 

This issue is currently being heavily debated in security circles, organizations, etc - this older article cites *some* of the key points and issues but does not offer any solid recommendations as to what to stop via Windows Services

http://arstechnica.com/security/2013/01/to-prevent-hacking-disable-universal-plug-and-play-now/

Some schools of thought are of the opinion that the below is the best corrective action:

DO NOT DO THIS AT HOME UNLESS YOU ARE FULLY AWARE OF THE IMPACT OF STARTING OR STOPPING WINDOWS SERVICES

 

No offense siljaline but sometimes I have to wonder where you're getting this flawed information. Just a month ago you recommended ATI users disable an important ATI service which was utter nonsense.

Now once again you're recommending people break SSDP discovery, used by many network devices, because of something that has nothing to do with Windows. It is even dumber advice than recommending to disable UPnP and should NOT be followed.

Seriously? You HONESTLY think you should disable UPnP just incase you're infected with malware. Boy, you have far bigger issues than just UPnP if you're infected, they can already do whatever they want with your PC...

You should probably also consider disabling your Internet Connection just incase you become infected and start DDoSing people...

 

It was someone from DHS that made this valid observation after much consternation that is still ongoing in the security community, geez, if you'd like to dispute, back it up with fact.

Ehh,,, an unneeded service that many were not running or did not require.
Again - back that statement up with fact. ATI aka AMD GPU's are inherently buggy - why run background services if ya don't have to.

 

Thread: AMD warns of security hole in its Catalyst Control Center
https://www.wilderssecurity.com/showthread.php?t=338243
In reference to elapsed statements made in this thread although unrelated - for clarification.

 

With UPnP and any other service or app that opens ports for incoming connections, if you don't specifically need it, it shouldn't be running. Reducing your attack surface is one of the best things you can do to secure your system.

 

Here's a good article for those needing it:

http://www.zdnet.com/how-to-fix-the-upnp-security-holes-7000010584/