Jump to content

UPnP Security Risk


Random_N00b
 Share

Recommended Posts

I get the Comp TIA Smart briefs, and one thing that recently caught my eye was a link to a Reuters article talking about how the US Government is apparently warning people to disable UPnP on network devices because of a security flaw. Now, I'm not in the best situation as far as news goes right now (Out of the US in a 3rd world country), so I'm not sure if this is all over the news, or is old news. Either way, have you in this community heard anything about this or are familiar with it and why UPnP is a big issue right now? Thank you.

Link to comment
Share on other sites

Seems to be hyped-threat of the month!

I find most manufacturers (in UK/DE) now disable UPNP by default (no idea about US sorry).

The issue has been around since 2009?, the issue was presented at a past-Blackhat and Defcon-16, with some tools like upnpscan

Strange it suddenly jumped into a media-hype.

Think it was all started by HD Moore this time around? correct me if I'm wrong.

Link to comment
Share on other sites

Yep, its an old treat, yet very simple; would you allow a 3rd party application on your LAN, maybe even a virus to open port on your firewall? If you answer no then you should have UPnP turned off...

I know it can be useful and allow normal user to not have to worry about opening port for external services but for this to be secure it would need to have a key and application should know that key to talk with your firewall...

What's the point of putting a lock on your door it you leave the door window open... Just my 2 cent.

Link to comment
Share on other sites

I've been telling people for YEARS to disable uPnP and SSDP on not only their home routers, but also, the service in the OS, and on their Firewall to block it. Only things that might need it, are devices that auto config, like a Blu-ray DVD player, like mine does, to the internet, and even then, it STILL works, with it disabled on my home network. I have no issues connecting to DHCP and getting my Netflix on, even though the device likes to try to set my router to open ports for itself, it can't because I have it all disabled and locked down, so I set a DHCP reservation for the DVD players MAC address, and all works just fine and dandy.

There are links on the forums somewhere that I posted to videos I think from Defcon or BlackHat about people using uPnP to scan networks and open ports on routers for port forwarding attacks to internal nodes on the lan from the web side and I believe Metasploit has a few modules for fingerprinting and querying devices via uPnP and SSDP similar to SNMP attacks. I know I've messed with it before in Armitage to query devices that have found printers and such over the internet, so this is old attacks, just now making mainstream news which is the funny part, because its been an attack vector for years.

Oh, and forgot, if you use Opera(like I do) go to opera:config, and disable uPnP in there as well. Many browsers and apps pn mobile these days do it automatically and you don't even know it, they will auto configure firewall rules, etc, but Opera is the first browser I know of that actually has settings you can disable that really aren't needed at all. Like the server service, which I also disable, sync, unity, etc.

Edited by digip
Link to comment
Share on other sites

I have found this link, that explains how it's possible to run a scan and map the network through an UPNP enabled router.

https://media.defcon.org/dc-19/presentations/Garcia/DEFCON-19-Garcia-UPnP-Mapping.pdf

Link to comment
Share on other sites

Thanks for the responses. I'm just hearing about this for the first time. Not sure why they are making a big deal about it now, especially how long this threat has been around.

Because the mainstream establishment, doesn't listen to the security community until it hits them in the pocket book. Thats that sad reality. We've had Dan Kaminsky screaming from the highest mountain for a decade on the woes of DNS and studies have shown complete Zone Transfers are still possible on more than half the worlds networks, DNS cache poisoning is still possible, and home routers get drive by whacked with DNS Server updates all the time. Like anything in Security, until it hits someone in the money pit, they don't pay it much attention, ie: Government recently saying to uninstall Java as well as the uPnP issue. Until it hits someone big enough to come forward with the warning, or better yet, say New York Times admits to getting hacked by Chinese(mostly FUD, Chinese hack everyone, NYT is not any different, they just think they are special because they now know who) most people don't pay attention. All it does, is create more fear at home though, and the mainstream media, ends up reinforcing the negative view that all hackers = criminal. So while awareness is being raised, wait for the backlash and stiffer penalties ready to come out next. Only a matter of time. Security research, will one day be outlawed, as where in some countries, its already becoming a crime...
Link to comment
Share on other sites

Because the mainstream establishment, doesn't listen to the security community until it hits them in the pocket book. Thats that sad reality. We've had Dan Kaminsky screaming from the highest mountain for a decade on the woes of DNS and studies have shown complete Zone Transfers are still possible on more than half the worlds networks, DNS cache poisoning is still possible, and home routers get drive by whacked with DNS Server updates all the time. Like anything in Security, until it hits someone in the money pit, they don't pay it much attention, ie: Government recently saying to uninstall Java as well as the uPnP issue. Until it hits someone big enough to come forward with the warning, or better yet, say New York Times admits to getting hacked by Chinese(mostly FUD, Chinese hack everyone, NYT is not any different, they just think they are special because they now know who) most people don't pay attention. All it does, is create more fear at home though, and the mainstream media, ends up reinforcing the negative view that all hackers = criminal. So while awareness is being raised, wait for the backlash and stiffer penalties ready to come out next. Only a matter of time. Security research, will one day be outlawed, as where in some countries, its already becoming a crime...

That's...sad. I'm interested in learning more, but I almost feel like I'm a criminal for going to "hacker" websites. I feel the government is cranking down on it's control of information. How long before they go, "Hmmm, you know China, we like what you got over there?" With DPI getting passed I know it's a matter time at this point...Maybe I'm just ignorant. Or haven't looked up enough. I thought my SSH tunnel was secure if that tells you anything.

Link to comment
Share on other sites

I suggest you google "history of hacker", there are several good read that will help you understand that hacker are not bad, the bad guy are "Cracker" but I myself call the bad guy hacker because its what is the most understood. Hacker are inventor, developers.... Like most of us here, I started as a cracker in the era of netbus, sub7, back orifice, in those day, firewall was almost existent, AV were primitive and it was possible to get any info on anyone computer... bottom line is that hacker find the risk, cracker exploit it and vendor have no choice making their stuff better... Hacker help making security better the same way that competition drive new feature... I got hacked this week, I can't be mad at him for stressing the fact that I need to improve the security of my network.

Regarding censorship, I doubt that they can sensor us, and even the great firewall of china don't prevent them from hacking, there is a lot of talented hacker in china. Beside, their firewall can be bypassed by a simple VPN (I've been there lol)

Unless you have malicious motive, you should not be scared of prosecution, Security is a real respected, exciting and gratifying job... If you are up to the challenge...

Link to comment
Share on other sites

I suggest you google "history of hacker", there are several good read that will help you understand that hacker are not bad, the bad guy are "Cracker" but I myself call the bad guy hacker because its what is the most understood. Hacker are inventor, developers.... Like most of us here, I started as a cracker in the era of netbus, sub7, back orifice, in those day, firewall was almost existent, AV were primitive and it was possible to get any info on anyone computer... bottom line is that hacker find the risk, cracker exploit it and vendor have no choice making their stuff better... Hacker help making security better the same way that competition drive new feature... I got hacked this week, I can't be mad at him for stressing the fact that I need to improve the security of my network.

Regarding censorship, I doubt that they can sensor us, and even the great firewall of china don't prevent them from hacking, there is a lot of talented hacker in china. Beside, their firewall can be bypassed by a simple VPN (I've been there lol)

Unless you have malicious motive, you should not be scared of prosecution, Security is a real respected, exciting and gratifying job... If you are up to the challenge...

I'm very aware of the distinction between "hackers", "crackers", and other. I'll still give that a good google though, I may learn something. I think what I was remarking on was the knee-jerk reaction to the term "hacker". I think what a lot of people think of when they hear "hacker" is that guy who steals their bank account information, or dare I say it, "anonymous". What people fail to realize is a "hacker" is the guy who takes that piece of electronics and figures out how to do something the manufacturer and designer never would have never dreamed possible. Or the guy (or gal) who figured out that some protocol that was supposedly secure has a gaping hole in it, or that the password hashes are easy to break, etc.

Now, the way I look at this site, and others like it, is simply presenting information. What you choose to do with the information is up to you. Just because you can break into someones system doesn't mean you should. Myself, personally, I'm just some random noob here who is interested in knowing where the weak points are, so I can make sure I don't leave those open on my professional networks that I'm responsible for setting up.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...