The year 2013 is quickly turning into the year of cyberattack awareness, and a commonrouter protocol is one of the latest security holes that urgently demands your attention.
The UPnP, or Universal Plug n Play, protocol is designed to let networked devices findeach other easily. The idea is that you should be able to plug a networked device into arouter, and the router will easily discover the device.
Problems potentially arise because UPnP isn’t authenticated. This lack of authenticationhas kept things simple for connecting printers, streaming media players and other devicesin the home and office.
However, it has also meant that routers can be wide open to connections fromanywhere — particularly because UPnP can function across a WAN network.
Shut It Down
Between 40 million and 50 million IP addressescould be susceptible to attack through multiple UPnP methods, according to a white paper released in January by security firm Rapid 7, which has just completed a large-scale security project.
One method discovered is penetration via SSDP (Simple Service Discovery Protocol)buffer overflow vulnerabilities in a version of UPnP called “Portable SDK for UpnP” (libupnp).
Patches have been released by some router vendors, but in many cases existing network equipment won’t be updated, according to Rapid 7.
The Department of Homeland Security’s Computer Emergency Readiness Team hassuggested computer users disable UPnP.
Patch It Up
There are steps you can take to close this hole, however, and to address other potential UPnPsecurity issues:
Step 1: Identify the external vulnerabilities.
Run the free tool published by Rapid 7 that identifies UPnP Internet-exposurevulnerabilities on your network by browsing to the Rapid 7 website page and clickingon the orange “Scan my Router” button. Then note the results.
Step 2: Identify the internal vulnerabilities.
Download the Rapid 7 ScanNow for UPnP product from the same website. Thisprogram identifies internal network vulnerabilities. Click on the “Download Now” buttonand follow the prompts to install and run. Accept the internal IP address defaults andallow the scan to complete. Then note the results.
Step 3: Review the results.
If either of the two scans show no vulnerabilities, no action is required for this exploit. Ifvulnerabilities are indicated, proceed to the next step.
Tip: Internet-exposure vulnerabilities are more serious than internal networkvulnerabilities.
Step 4: Block inbound traffic on UDP Port 1900 to prevent SSDP attacks by accessingthe networked router’s configuration menu with a Web browser.
Enter the router’s IP address in the browser address bar. Then enter the router User IDand Password. Choose the Advanced section and then Block Services, or similar.
Enter the Protocol, in this case “UDP,” and then the port, in this case 1900. Save theconfiguration.
Tip: A common User ID is “admin” and password can be blank or “password.” AnInternet search for your router model can provide authentication information.
Step 5: Disable UPnP altogether to prevent current SSDP and possible future attacks.
Access the router’s Advanced section and choose “Turn UPnP off,” or similar withinthe specific UPnP area of the router’s configuration. Then save the configuration.
Tip: Look for any vendor-provided updates for your router, network printer, mediaserver, security cameras and so on, by searching for the model numbers on the Internet.
Apply any patches by following the vendor-provided instructions.
Discard and replace any equipment that is shown to have UPnP vulnerabilities where thevendor doesn’t plan an update or, in the case of a router, where UPnP can’t be turned off.
Contact your Internet service provider for replacement equipment if the equipment wassupplied and is owned by the ISP.
Want to Ask a Tech Question?
Is there a piece of tech you’d like to know how to operate properly? Is there a gadget that’s got you confounded? Please send your tech questions to me, and I’ll try to answer as many as possible in this column.
And use the Talkback feature below to add your comments!