DHS Makes It Official - Disable UPnP On Your Router

Discussion in 'other security issues & news' started by itman, Jan 30, 2013.

Thread Status:
Not open for further replies.
  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
  2. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    If you disabled every vulnerable part of the internet, network capability and so on, you wouldn't be able to do jack. Not that I'm blowing the risk off, but good God, if a hacker wants in that bad, it won't matter what you harden or disable, he/she will get in. Why bother going through UPnP when Java exploits are still going strong and Oracle is all but inviting hackers to rip it to shreds. And why "About time!"? Is the situation more real or more serious when a government agency chimes in? Lol, it's a bit amusing that Linksys tells you to visit their website to see about affected devices...and the damn links on the site are broken and can't be clicked.
     
    Last edited: Jan 30, 2013
  3. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I can't agree with your assessment. Java can be installed and used, yet still be disabled by default in the browser. UPnP is turned on by default in way too many devices. Shortly after an earlier fiasco involving UPnP being exploited via flash, I turned it off on all my hardware, plus made specific rules for it in the firewall that both block it and alert me to any attempt to use it. Allowing a java exploit is at least partially a user mistake that a user can mitigate. UPnP doesn't require user interaction in order to be exploited. UPnP has no business being exposed to the internet. If the hardware vendors can't implement it properly, it needs to be disabled completely.

    That utility that Rapid7 released to identify vulnerable devices has its own problems. First it needs java. Second, it connects out to way more sites than can be justified for registration purposes, which shouldn't be necessary either. These included:
    74.125.226.226 thru 74.125.226.232, 5 different IPS.
    208.111.135.24
    208.67.220.220 Open DNS
    8.8.8.8 Google DNS? which I don't use
    204.232.250.209
    74.125.133.95
    There may be more but I killed the process at this point.

    The online version they released for those who have a problem with the first versions need for java didn't work on my system.
     
  4. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    My Router has UPnP disabled by "Default". I have had the Router for a couple of years and have not ran across any issues with having UPnP disabled.
     
  5. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,412
    Yes disable it, it is no good.
     
  6. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    You clearly do not understand UPnP, or the advantages of automatically opening and closing ports on-demand. I wonder how many people that manually open ports ever bother closing them.
     
  7. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    When a modem or router is manually forwarded to the PC and the app or service on the PC that used that port isn't running, that port is still closed to inbound traffic. I have ports forwarded on my modem and firewall for Tor. If Tor isn't running, those ports show closed when scanned.

    The port forwarding on the modem/firewall/router can be made address specific, making it closed to all of the web except the IPs that require it. A software firewall on the PC can also restrict traffic to that port to a specific application or service.

    In either case, it's safer than having malware or an exploited application opening that port without the user knowing it.
     
  8. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    Having a port come up as closed is a massive "I actually exist" sign. If I run Tor the ports will be automatically opened, when I close Tor the ports will be automatically closed. This is superior to manually creating permanently open ports, whether software is listening to them or not.

    Using the logic "disable it incase malware exploits it" is flawed, why not apply that to all software you use? Disable flash, disable your browser, disable your AV.

    The only issue here is that some router vendors have a flawed implementation of UPnP that needs patched.
     
  9. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Stealthed is little more than an illusion. Closed is as secure as a port gets. When a port is forwarded on a router/modem/firewall, the port on the PC is visible from the web. If nothing is listening on that port, it appears closed just as it would if it were blocked by the router or firewall. With most PCs connected 24/7 on semi-permanent IPs, an attacker doesn't need to see a closed port to know you exist.
    The browser, flash, and most software do not open ports thru your external devices and allow unwanted inbound connections. IMO, the convenience of UPnP is outweighted by the additional exploitable attack surface it creates.
     
  10. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    If an attacker is randomly scanning IPs for ports and suddenly encounters a closed one it's an encouragement to probe that IP further, stealthed is not an "illusion" lol. It's a simple matter of appearing invisible to any potential attackers. It's the difference between showing someone your house and the locked door to try and crack open vs that person not even knowing you exist.

    Oh please! You're acting as if exploitation is UPnP's sole purpose. It's EXACTLY the same as any other software program. I'll repeat myself again:

    "The only issue here is that some router vendors have a flawed implementation of UPnP that needs patched."
     
  11. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    276
    Location:
    USA
    Steve Gibson has added a test for router UPnP at his website grc.com. Go to the Shields Up section ( https://www.grc.com/x/ne.dll?bh0bkyd2 ) and proceed to run the test to see if you router is vulnerable. Thumbs up for Steve.
     
  12. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    Nice! Thanks for the link. Apparently I'm not vulnerable (no surprise as this apparently affects only 2% of the IPv4 address space).

    I also discovered the security now video about the issue through that link, quite interesting:
    https://www.youtube.com/watch?v=wEa43qM4JjQ
     
  13. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,046
    Location:
    USA
    Thanks for that information. I just ran the test on a router that has UPnP enabled, and it passed the test. I'd suggest anyone that is concerned run this test before just disabling it.
     
  14. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    If you have UPnP enabled, then malware/hacker tools can use it to open ports as there is no whitelist of apps that is allowed to use that feature. I'd say that to have defence in depth, it would be better to disable UPnP.
     
  15. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    This issue is currently being heavily debated in security circles, organizations, etc - this older article cites *some* of the key points and issues but does not offer any solid recommendations as to what to stop via Windows Services

    http://arstechnica.com/security/2013/01/to-prevent-hacking-disable-universal-plug-and-play-now/

    Some schools of thought are of the opinion that the below is the best corrective action:
    DO NOT DO THIS AT HOME UNLESS YOU ARE FULLY AWARE OF THE IMPACT OF STARTING OR STOPPING WINDOWS SERVICES
     
    Last edited: Feb 1, 2013
  16. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    No offense siljaline but sometimes I have to wonder where you're getting this flawed information. Just a month ago you recommended ATI users disable an important ATI service which was utter nonsense.

    Now once again you're recommending people break SSDP discovery, used by many network devices, because of something that has nothing to do with Windows. It is even dumber advice than recommending to disable UPnP and should NOT be followed.

    Seriously? You HONESTLY think you should disable UPnP just incase you're infected with malware. Boy, you have far bigger issues than just UPnP if you're infected, they can already do whatever they want with your PC...

    You should probably also consider disabling your Internet Connection just incase you become infected and start DDoSing people... :D
     
  17. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    It was someone from DHS that made this valid observation after much consternation that is still ongoing in the security community, geez, if you'd like to dispute, back it up with fact.
    Ehh,,, an unneeded service that many were not running or did not require.
    Again - back that statement up with fact. ATI aka AMD GPU's are inherently buggy - why run background services if ya don't have to.
     
  18. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  19. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    With UPnP and any other service or app that opens ports for incoming connections, if you don't specifically need it, it shouldn't be running. Reducing your attack surface is one of the best things you can do to secure your system.
     
  20. sepihi

    sepihi Registered Member

    Joined:
    Jan 18, 2013
    Posts:
    20
    Location:
    USA
Loading...
Thread Status:
Not open for further replies.