Forgot your password?
typodupeerror
Security

Most Home Routers Vulnerable to Flash UPnP Attack 253

Posted by CmdrTaco
from the oh-this-will-go-well dept.
An Anonymous reader noted that some folks at GNU Citizen have been researching UPNP Vulnerabilities in home routers, and have produced a flash swf file capable of opening open ports into your network simply by visiting an unfortunate URL. Looks like Firefox & Safari users are safe for now.
This discussion has been archived. No new comments can be posted.

Most Home Routers Vulnerable to Flash UPnP Attack

Comments Filter:
  • Nothing new, really (Score:4, Interesting)

    by Billosaur (927319) * <wgrotherNO@SPAMoptonline.net> on Monday January 14, 2008 @09:59AM (#22033870) Journal

    It all hinges on going to a malicious web site. Just like email trojans, if you resist temptaion and use some common sense, do you really have to worry about this?

    • by someone1234 (830754) on Monday January 14, 2008 @10:02AM (#22033900)
      Yes. You may not be sure if a site is malicious or not, without visiting it.
      And some sites may become malicious suddenly because of all those syndicated ads around.
      • Re: (Score:2, Informative)

        by lordofwhee (1187719)
        Let's not forget XSS attacks, this is the kind of thing they're perfect for.
      • by Lumpy (12016) on Monday January 14, 2008 @10:45AM (#22034394) Homepage
        Yup, I have seen people computers infected from msn.com the banner ad's were at one time installing spyware from the default IE home page.

        All it takes is to get your nastyness in a bunch of Ad rotations from doubleclick and other scumbag webad companies and you can hose a huge swath of the net.
      • by Hatta (162192)
        What syndicated ads?
      • Re: (Score:3, Insightful)

        by kilodelta (843627)
        That is the problem. It seems as though Flash is the way to go on this and if you're running Firefox you just run the Flashblock add-on. It puts a little 'f' where the flash module wants to run. Between Flashblock and AdBlock I love the web.
    • by Anonymous Coward on Monday January 14, 2008 @10:08AM (#22033956)
      Well yes. If you never visit a site with adverts. Or the Internet as it's otherwise known. Sure, you can block them (and I do) but sometimes sites switch to new providers and you are vulnerable for the time it takes to update the block file.

      I'm not really surprised to be honest - I always thought UPnP looked fishy to me so I disabled it on my router. I don't like the idea that anyone coming to visit can plug in their malware-ridden Windows laptop and reconfigure my router. Sure, having it turned off means X-Box Live is less happy but that only decreases the number of people who can call me "fag" on a daily basis. I wonder if Microsoft will update the X-Box Live support page where they say that UPnP doesn't make your network insecure...

      I also have Flash disabled by default because it is well known to be insecure and buggy and a delivery system for malware. Most proper web-browsers either let you enable flash on a per-site basis or will allow you to do so with a plug-in and this is really the way to go.
      • Re: (Score:2, Insightful)

        by Brian Gordon (987471)
        I agree, UPnP always seemed like a bad idea to me.. it's just fills up your network with multicast spam for lazy people who don't want to set up a proper network. Clients should have no control or peer-to-peer interaction.. networking is all about security, and doing everything server-side keeps things secure.
    • by Nullav (1053766) <moc AT liamg DOT valluN> on Monday January 14, 2008 @11:38AM (#22035018)
      Yes, but the social engineering requirement is more or less gone in this case. It takes substantially less work to convince someone to click a link than to download a file. (Granted, Bonzai Buddy got people by just being a purple ape.)
      Why, look no further than the MyMiniCity/Goatse/2girls1cup links being posted here in every thread! At least one person clicks and ends up warning others. (Either by downmodding or posting.) Why, you just need someone who's curious enough to click.

      On the other hand, it requires a bit of work to get someone familiar with malware to click on a 'you just won' banner and download the mystery prize. Don't even get me started on random email attachments following nonsense messages.
  • Turn off UPNP (Score:5, Insightful)

    by russ1337 (938915) on Monday January 14, 2008 @10:03AM (#22033908)
    I thought the recommended steps for setting up a router were:

    A. Unbox
    B. Throw away the disk
    C. Plug in your machine, Turn on the router and navigate to the webgui
    D. Turn off UPNP
    E. ??? (Change default name and password, set WPA, Turn off SSID etc....)
    F. Profit...

    The point is, I'd always been told to turn off UPNP 'cos sooner or later something is going to open ports that you don't know about.
    • Re: (Score:3, Insightful)

      Change default name and password, set WPA, Turn off SSID etc....

      I'm okay with all of that. The only thing I never get is why to turn off the SSID broadcast. If it's well secured, it doesn't matter if they know it's there or not. Besides, I'm pretty sure that just listening to traffic will reveal the presence of a wireless network.

      • Re: (Score:3, Insightful)

        by EvilRyry (1025309)
        Right. And it's also rather annoying when you do a quick look around to find a vacant channel. "Oh look, no one is on channel 1, lets use that!" Only to find out a short while later that 5 networks are using that channel, but all of them have SSID broadcast disabled.

        Anyone who can break into your wifi can probably find your SSID if broadcast is disabled, all you need to do is wait and listen.
    • Re:Turn off UPNP (Score:5, Informative)

      by Z-MaxX (712880) on Monday January 14, 2008 @10:27AM (#22034184) Journal

      I thought the recommended steps for setting up a router were:
      ... D. Turn off UPNP
      I guess that is the wise choice. But UPnP is very handy for me because my home machines always get different IPs from my router, so if I want to port-forward BitTorrent ports to me laptop, desktop, etc., I have to go in and change the port-forwarding config on the router every time I get assigned a new IP. Big PITA. But then I discovered how Azureus can use UPnP to automagically forward the ports for me on the fly. It seems to work fine. Too bad it's a security risk.
      • Re:Turn off UPNP (Score:5, Informative)

        by FlashBIOS (665492) on Monday January 14, 2008 @10:33AM (#22034252)
        See if your router supports port triggering [wikipedia.org] or look for that feature in your next router. It is a way to automate port forwarding, and would help you in your setup without being the security risk UPnP is.
      • Re:Turn off UPNP (Score:5, Informative)

        by pipatron (966506) <pipatron@gmail.com> on Monday January 14, 2008 @10:41AM (#22034360) Homepage
        Configure your DHCP server (your router in this case) to always give the same IP to the machines that you run server software on. It's trivial, really.
        • by mzs (595629)
          Or just give them static IPs. You can have the rest via DHCP for convenience even if the IP is fixed.
          • Re: (Score:2, Insightful)

            Using true static IPs is much less convenient than configuring a dhcp server to dole them out. One problem is moving a machine (like a laptop or lan-party gaming computer) between networks -- static IPs can make things sticky.

        • Re: (Score:2, Informative)

          You're right, but many routers do NOT support this feature out-of-the-box, the most notable of these being the WRT54G.

          Personally, I just run a standard ISC DHCP daemon on one of my boxes and then configure it to dole out addresses to machines that need 'static' IPs for server functionality. I also have a dynamic port range for other boxes and devices that can change without any adverse effects.

          On a Linux machine (currently there are packages for Ubuntu, Debian and Fedora, plus some others), this can be mad
          • If your router doesn't support this feature, you may want to consider changing the firmware of the router.

            I am using DD-WRT (http://www.dd-wrt.com/wiki/index.php/Main_Page), and it's much more functional than the original firmware of my linksys WRT-54GL router. It's also rock stable, once it's installed (Just follow the installation directions closely).
          • by iCEBaLM (34905)
            WRT54G (Arguably the most prolific consumer grade router in existence) does support static IP assignments via DHCP.
            • Re: (Score:3, Informative)

              by InvisiBill (706958)

              WRT54G (Arguably the most prolific consumer grade router in existence) does support static IP assignments via DHCP.

              Certain versions, at least, do not. That was the main reason I switched to DD-WRT. The compact version also did not support it last I knew (a friend has this router).

              But yes, even the D-Link DI-704 that I purchased in 2000 for $20 (i.e. it was really cheap a really long time ago) did support reserved DHCP, and I'll never again use a router without it. I personally find it unforgivable that Linksys' instructions for port forwarding essentially tell you to completely disable DHCP and just manually confi

              • by internewt (640704)
                I think a lot of BS that we see in the consumer electronics field is simply the PHBs making decisions. Maybe Linksys had what they thought were an abnormal amount of support queries relating to DHCP reservations? So they simply removed the features that complicate their DHCPd: you now get a choice of "fully auto" or "manual" and Linksys don't have to explain to users what a MAC address is, what a DHCP reservation is, what a static IP is, what an IP is... etc..
          • by d3ac0n (715594)
            Wait...

            You people actually run consumer-level commercial wireless routers?

            Apparently I'm the only one here that runs a Smoothwall [smoothwall.org] router and a separate wireless bridge connected to a DMZ'ed network. Wired connections on the normal network, wireless on the DMZ. Soon I'll be upgrading to include a wireless card in my smoothie, and it will run everything. What self-respecting geek actually uses consumer-end garbage and doesn't DIY a proper router/firewall?

            I AM on Slashdot, right? ;)
            • Re:Turn off UPNP (Score:4, Informative)

              by adolf (21054) <flodadolf@gmail.com> on Monday January 14, 2008 @01:52PM (#22036886) Journal
              All of us self-respecting geeks realized, years ago, that it was far cheaper, easier, and better to run OpenWRT/DD-WRT/Alchemy on a WRT54G from Wal-Mart, than to maintain yet-another-fucking-PC at home.

              It's a good gig: A Linux box with 5 Ethernet ports and a WiFi radio for ~$50.

              Having zero moving parts and negligible power consumption is a big help, too.

          • For some that don't, you can still configure the length of a DHCP lease. Setting this to a few years has the same effect if you don't have more computer than IPs in your private subnet.
        • by vux984 (928602)
          Configure your DHCP server (your router in this case) to always give the same IP to the machines that you run server software on. It's trivial, really.

          Not trivial if your router doesn't support that feature. And I've worked with dozens of routers from SMC, Linksys, Dlink, etc that don't support it.
        • by bhtooefr (649901)
          Or, even, use static IPs.

          There's apps out there that assign different settings based on which network you're on, if you go between networks.
    • Re:Turn off UPNP (Score:5, Informative)

      by yuna49 (905461) on Monday January 14, 2008 @10:31AM (#22034218)
      BitTorrent users often use uPNP to punch a hole through the router for torrents. Many torrenting "how-tos" specify using uPNP for this purpose, and it's commonly enabled in many BT clients like Azureus and uTorrent. For most of these people, uPNP is a godsend since it eliminates the need to mess around with portforwarding in the router configuration.

      • by binaryspiral (784263) on Monday January 14, 2008 @11:13AM (#22034698)
        For most of these people, uPNP is a godsend since it eliminates the need to mess around with portforwarding in the router configuration.

        If uPNP is a godsend to those people... they need to get a better God.
      • by mzs (595629)
        I just have two ports open for this. You only need it for the initial incoming connection. I only had to do it once.
      • Re: (Score:3, Informative)

        by ookabooka (731013)
        Agreed. I'm sure there are even games that support uPnP so when you host a game, the appropriate port is automatically forwarded. IMO, if you keep a tidy computer network with virus scanners on your computers and scan for malware, then it's not much of an issue. It's still better than hooking up your computer directly to the internet and having window's services exposed. You have to compromise the computer before you can use UPnP to allow the attacker in anyways. What's so bad about having a lock thats easy
      • I think you mean UDP hole punching [wikipedia.org] (aka: NAT traversal) not UPnP. UDP hole punching is used by the likes of Skype [mocaedu.com], Hamachi [wikipedia.org], torrent clients [wikipedia.org] (look at the NAT traversal column in the table), p2p clients, and any other service that needs to listen on a port w/o having to rely on correct forwarding of traffic on intermediate nodes.

        Of course, if you want the benefits of TCP with this method, you then have to implement TCP over UDP to do this (which I know Hamachi does).
    • by Firehed (942385)
      Like so many things, UPNP is a tradeoff between security and convenience. Want a stronger password? You have to type in an annoying password every time you want to do anything. Want secure WiFi? Then make sure you write down your 64+character alphanumeric nonsense passphrase and be sure to add your MAC address into the allowed users table, after going through a second insane password to hit your router's config panel. Want to lower the risk of a break-in? Then set or open both a lock and deadbolt ever
      • by Tony Hoyle (11698)
        UPNP can be blown wide open with well crafted perl script. It has zero authentication and most implementations even allow portforwarding to machines outside the LAN.

        Basically if you're going to enable UPNP you might as well disable all your other security as well in the name of convenience.
    • You forgot one big step UPDATE the firmware
    • by yo_tuco (795102)
      "E. ??? (Change default name and password, set WPA, Turn off SSID etc....)"

      Turning off SSID is pointless. It is easy to discover it for those that would want to know.
  • by eknagy (1056622) on Monday January 14, 2008 @10:04AM (#22033914)
    This will take an old-new argument to "to free or not to free my wifi" questions.
    • by slim (1652)

      This will take an old-new argument to "to free or not to free my wifi" questions.
      If you're talking about the recent Schneier stuff, then part of the rationale for running unauthenticated WiFi is that the hosts inside the network are hardened. Hence, assuming no mistakes in the host hardening, you could have no firewalling whatsoever on the router, and you'd still be safe.
      • Re: (Score:3, Insightful)

        by wbren (682133)
        From the article's comments:

        The portforwarding rule attack was given as an example as this is probably one of the things that cannot be used right away by script kiddies and it is sufficient enough to prove a point.

        The fact that ports can be forwarded to a given host is not the real point of this article. More serious would be someone resetting the admin password, allowing the attacker to do things like set the DHCP-assigned primary DNS server to a malicious one, just as an example. Given how often phishing

        • by slim (1652)

          From the article's comments:

          The portforwarding rule attack was given as an example as this is probably one of the things that cannot be used right away by script kiddies and it is sufficient enough to prove a point.

          The fact that ports can be forwarded to a given host is not the real point of this article. More serious would be someone resetting the admin password, allowing the attacker to do things like set the DHCP-assigned primary DNS server to a malicious one, just as an example. Given how often phishing attacks succeed, this seems like a legitimate threat. Notice that in this case the clients could be as hardened as can be, and they would still (unless a static DNS was manually entered) use the DNS server provided by the compromised router.

          Hmm, but UPnP is special, in that it does quite serious things at the behest of unauthenticated requests, by design. Let's repeat that -- this isn't a 'bug' on the routers. UPnP is /designed/ to forward ports when it gets a request from inside the network, no questions asked.

          Whereas, you do need at least a password (or a more esoteric vulnerability than UPnP; one that won't be as homogenous across various brands of router) to actually compromise the router in ways such as you describe.

          • by wbren (682133)
            I'm aware that UPnP is designed to forward ports at the request of a machine inside the network, but the article made it sound like the admin password might be reset using the exploit. Perhaps it was the lack of coffee that made me read it that way. I'll read it again after a couple cups :-)
    • Re: (Score:3, Informative)

      by wbren (682133)
      Open WiFi access points are a security nightmare regardless of exploits like this, so the same basic advice still holds: open WiFi access points should be isolated from your "trusted" network. Security vulnerabilities aside, open access points are a legal nightmare waiting to happen (child pornography, phishers, DDoS attacks, intrusion, etc.) In other words, avoid them. Regarding your specific question about this UPnP exploit and open APs, the open AP could be potentially used as a phishing goldmine, especi
      • by slim (1652)

        Security vulnerabilities aside, open access points are a legal nightmare waiting to happen (child pornography, phishers, DDoS attacks, intrusion, etc.)

        You've either missed the recent debate, or missed its point. The argument goes:

        - If someone uses your open access point for nefarious means, you have a defence -- "But anyone could have done that".
        - If someone uses your 'secured' access point for nefarious means, your defence requires a jury to understand the ease with which (say) WEP can be cracked.

        And the likelihood of spammers, DDoSers, phishers etc. using your WiFi connection rather than their massive botnet is negligible.

        Just repeating the argument. F

        • by scottv67 (731709)
          Just repeating the argument. FWIW my own access point is secured with 64 bit WEP, which I suppose is worst of both worlds. But it keeps my bandwidth available for myself, and uses a short passphrase I can remember.

          Why aren't you using WPA-PSK or WPA2-PSK instead of WEP? Using either WPA method is far more secure than WEP (which can be cracked by using a paperclip, the foil wrapper from a stick of chewing gum, two buttons from your shirt and a 20-oz bottle of Mountain Dew).

          • by slim (1652)

            Just repeating the argument. FWIW my own access point is secured with 64 bit WEP, which I suppose is worst of both worlds. But it keeps my bandwidth available for myself, and uses a short passphrase I can remember.

            Why aren't you using WPA-PSK or WPA2-PSK instead of WEP? Using either WPA method is far more secure than WEP (which can be cracked by using a paperclip, the foil wrapper from a stick of chewing gum, two buttons from your shirt and a 20-oz bottle of Mountain Dew).

            I'm not sure my AP supports it -- I'm still on 802.11b and too tight to upgrade.

        • by wbren (682133)
          That argument is based on the ostrich strategy: keep your head in the sand and you can't possible be blamed for anything. It's just not smart to rely on that. Who knows, a judge may find that you were criminally negligent by providing an open AP that was used in some crime. There's no good reason to take that risk. Setting aside the legal responsibilities for a moment, why would you even want to take the chance of being caught up in an investigation involving your unsecured AP? That's just asking for troubl
          • by slim (1652)

            Who knows, a judge may find that you were criminally negligent by providing an open AP that was used in some crime. There's no good reason to take that risk. Setting aside the legal responsibilities for a moment, why would you even want to take the chance of being caught up in an investigation involving your unsecured AP? That's just asking for trouble. You wouldn't leave a loaded gun lying around for anyone to use or a running car unattended for anyone to drive off with, so why would you leave an access point unprotected?

            An open AP is not a gun though, is it? I'm not sure it's facetious to say that I leave my rubbish bin outside on the street unsecured all the time. If someone stole it and hurled it through a shop window, I wouldn't be found criminally negligent for providing an unsecured missile.

            I would be more concerned with someone connecting to my network and downloading/hosting child porn, which could get me (1) in serious trouble with the law and (2) an (unjustified) label as a child porn kingpin. It's just irresponsible and foolish to leave an AP open.

            But you've not countered the argument (and I continue too play devil's advocate here) that an open AP gives you plausible deniability -- except for criminal negligence suggestion, for which I'm not aware of any precedence. Is it

  • by dotancohen (1015143) on Monday January 14, 2008 @10:08AM (#22033954) Homepage
    There was a thread on the Mozillazine forums [mozillazine.org] about malicious JavaScript changing router settings about two years ago. Unfortunately, in October Mozillazine had a big foulup and many threads (and users, me included) were lost [mozillazine.org]. I cannot find the thread now, but if I do I'll post back with a[n] URL. The thread's conclusion was that one should never leave the default password on the router.
  • by Zombie Ryushu (803103) on Monday January 14, 2008 @10:12AM (#22033994)
    My home router is a Linux NAT Server. (I sorta have a pissant about the fact that those things to be called "Routers" I have a DI-704, and I couldn't get it to route between two actual subnets. It only would NAT.

    Anyway, my point. What about things like the Linksys WRT54GL?

    The thing is, it would be awesome if there was a flash drive driven Linux device with a Cisco Style com port that ran off flash, could be OpenLDAP Server, Samba DC, Kerberos KDC, NAT Server, or actual router WITH a Cisco style Console port that are cheap. Why does this not exist??
    • Your point seems to be a question.

      Anyhoo, there's nothing uber special about Flash, you can just put a CF/SD card in an IDE/SATA adapter and attach it to a suitable computer, such as one of the fanless EPIAs [mini-itx.com], that one even has dual gige.
    • Re: (Score:2, Informative)

      by Anonymous Coward
      The WRT54g can have a serial port hacked into it [rwhitby.net] for configuration. It's a fairly simple job if you have a soldering pencil around. They can also mount a SMB file system on boot [dd-wrt.com] so you can run whatever you want on the device. This filesystem can contain a shell script to be executed, allowing you to set up whatever you'd like to run at boot on the router.
    • Re: (Score:3, Informative)

      by AMuse (121806)
      If you really want to tinker around with Linux as a home NAT/Firewall device, you would love the Soekris [soekris.com] NET4801 [soekris.com] or NET5501 [soekris.com] boxes.

      I have one (I have no financial relationship with them other than customer) and I really love it. Very low power, 4GB flash card (up to 8 now I think), 1GB of RAM, no fans, no noise and if I want to I can put a large USB external drive (or small laptop drive inside) to do NFS/SMB/ETC.

      All that and the wonder of Linux IPTables, routing, NATting, OpenVPN, OpenSSH for around $300.
  • by sticks_us (150624)
    ...in this thread anyway, to recommend the flashblock plugin [mozdev.org].

    I installed it a couple of weeks ago, and really enjoy it. Banner ads have all but disappeared, and I don't even really notice (except for faster page loads and cleaner page layouts). If I want to see a YouTube video, that's easily accomplished--just click on the "F" icon in the blocked section of the page.

    As an added bonus, I'm protected from all of these recent security breaches we've seen for Flash...aren't I?
    • by Aladrin (926209)
      Great idea because IE runs Firefox plugins SO well.

      Firefox isn't vulnerable to this in the first place, so your advice means nothing here.
    • Re: (Score:2, Funny)

      by TheCRAIGGERS (909877)
      Firefox is safe anyway, for the time being.

      Still, NoFlash... NoScript... soon I'll have to install NoImage and NoCSS. I guess it's time to go back to Gopher.
  • Browsers (Score:4, Informative)

    by JackSpratts (660957) on Monday January 14, 2008 @10:16AM (#22034036) Homepage
    as usual opera is resistant.
  • by ElGanzoLoco (642888) on Monday January 14, 2008 @10:17AM (#22034046) Homepage
    [...] a flash swf file capable of opening open ports into your network [...]

    Hold on, now I'm confused: does this attack open open ports, or does it open ports open? Or even worse, does it open open open ports? :D

    • by wbren (682133)
      It opens ports on your router that are open on your computer. The ports are clearly already open, but they need to be opened again by the router. For example, my local Wal-Mart* is open in that is isn't "out of business", but it must be opened every morning (and "closed" into its original open state every night) anyway, so people can walk in and buy stuff. So in that regard, my local Wal-Mart* was opened twice, just like opening open ports. It's all very complicated, having to do with the lowest levels of T
    • by Tony Hoyle (11698)
      I presume it means that it allows open ports (on the lan) to be seen by everyone (on the wan).

      In some upnp implementations it's been shown that you can even do it the other way around - do things like forward port 80 outgoing to $hackers_proxy.

      upnp is kinda useless anyway.. nothing that can't be done more safely and more controlled by static DHCP and standard port forwarding (or, better, getting multiple IP addresses from your ISP).
  • I've always wondered about using StumbleUpon as a distribution method. I wonder if it is possible in such an exploit somehow force your profile to Thumbs Up the infected page, making it spread at a maximum exponential rate, since the rating system would only have to be vulnerable on the client side, I imagine.

    My larger point though is that in a web where the actual URL of content is becoming more and more meaningless as meta sites start to coagulate content around them, what do users on the client side h
  • It's Opera browser that Runs an OLD version of flash on a Wireless network. I mean, do we need to worry about this when we go to the wrong site from our Nintendo? I hear they update it from the connect24 but not that often...
  • Turn off UPnP! (Score:5, Insightful)

    by ledow (319597) on Monday January 14, 2008 @10:24AM (#22034152) Homepage
    Turn off UPnP! Why on Earth do you want it on anyway? That's the problem here - an XSS is one matter, although being able to send SOAP-style requests across your local network is a major concern. But having a router that automatically opens ports based on virtually zero authentication? A nightmare waiting to happen.

    Never used it. Never wanted it. Never turned it on. Always turned it off on EVERYTHING. UPnP is the problem here - a simple (unauthenticated) HTTP-style page requested in a browser suddenly starts opening ports to your network. It should not happen. Even my DSL router/wireless router/Linux router has SSL only, passworded access to do anything even approaching opening ports. And if a webpage pops up with an authentication dialog with the header "Wireless Router" and you type in your password, then you're a fool, unless you specifically requested the router's configuration page.

    There's rarely even a log of what UPnP has done - which ports it's opened in the past etc. for whom.

    Just turn the damn thing off. It's too dangerous.
    • Re:Turn off UPnP! (Score:5, Insightful)

      by slim (1652) <john@ha[ ]up.net ['rtn' in gap]> on Monday January 14, 2008 @10:38AM (#22034304) Homepage
      The thing is, it's just so damn useful. For a TCP/IP savvy person, setting up, say, a Bittorrent client, or Xbox Live online play without UPnP is a chore. For normal people, it's voodoo. With UPnP (and the right client) it Just Works. Convenient or secure... guess what most people will choose?

      But, agreed, it's scary stuff, if you believe your router ought to be a firewall. What's really needed is for home routers to start implementing authenticated UPnP, and for clients to work with it. (I must admit I've only glanced at the UPnP specs, but I seem to recall seeing references to an authenticated flavour).
      • by wwahammy (765566)
        I know Microsoft is implementing a new standard to supercede UPnP in part due to the lack of security. Whether this new standard acheives that though is another issue entirely.
      • by Tony Hoyle (11698)
        xbox live works fine without any port forwarding at all.

        Any half decent bittorrent client works of a single port and can be setup in minutes.

        What is this 'chore' you're on about. I known virtual newbies do it without prompting.
        • by slim (1652)

          xbox live works fine without any port forwarding at all.

          I Googled, and you're right. However XBL uses UPnP if it's there, and I suspect that for most games, at least one Xbox needs to be able to accept() connections from the rest -- whether that's using port forwarding, a direct connection to the net, or whatever. So yeah, a given Xbox can run without any port forwarding, but if everyone did it, it would break (like in the old days when MSN Messenger file transfer worked if one side was NATed, but not if both were).

          Any half decent bittorrent client works of a single port and can be setup in minutes.

          What is this 'chore' you're on about. I known virtual newbies do it without prompting.

          'Minutes' is more than zero effort, and I sus

    • by wwahammy (765566)
      It's not as secure as needed, that is without doubt. But I get tired of trying to figure out the port forwarding needed for various programs. Sometimes you want it to just work and UPnP when implemented accomplishes that goal.

      An argument could be made that UPnP is more secure in that it only opens ports while a program uses them (provided the program is coded right), not all the time as most people would have done had they needed to open the ports manually. That doesn't negate the vulnerabilities in the
  • My cheapie Belkin access point has an option to turn off UPNP in the configuration. In fact, it is the default. That should kill that exploit rather quickly, shouldn't it?
  • and was pleasantly surprised to see UPnP disabled out of the box.
    Are router manufacturers finally learning?
  • Only way it works. I can't for the life of me understand what I would need it for anyway.
  • Ok, for this to succeed the site would have to know your router's internal IP address. 192.168.1.1 is very common in early routers, but this has changed recently.

    Now, to actually get to the computer, it would also have to bypass your software firewall as well.

    Of course, all this does is open ports, it doesn't actually attack or exploit anything.

    This is a potential exploit, but not a working one yet.
  • I have a couple of Netgear routers and both shipped with UPnP off by default.

    UPnP can be enabled or disabled for automatic device configuration. The default setting for UPnP is disabled. If disabled, the router will not allow any device to automatically control the resources, such as port forwarding (mapping), of the router.

  • The offender is called NAT Traversal [wikipedia.org]

    "UPnP [wikipedia.org] comes with a solution for NAT (Network Address Translation) traversal, called the Internet Gateway Device (IGD) protocol. NAT traversal for UPnP enables UPnP packages to pass through a router or firewall without problems and without user interaction, (that is if that router or firewall supports NAT). It essentially allows any local UPnP device to punch arbitrary holes in the firewall, by letting the firewalled router create port forwardings automatically."

Any sufficiently advanced bug is indistinguishable from a feature. -- Rich Kulawiec

Working...