The Universal Plug & Play’s Unending Security Nightmare

IT security professionals for almost two decades have been warning everyone about the dangers of UPnP (Universal Plug&Play). The capability of routers, switches, and hubs to dynamically open ports as per the request of a UPnP-enabled device in the internal network opens a virtual can of worms. Gateways, which used to be the strict firewall is reduced to a DMZ with UPnP enabled, the devices behind it is by all intents and purposes connected with the Internet unrestricted.

UPnProxy, a botnet-type of attack using zombie routers taking advantage of a buggy UPnP feature has grown to 65,000 routers strong. This number of infected routers will continue to grow, all without their administrators finding-out the issue at all.

What made UPnP vulnerabilities as effective attack surface/loophole is the tyranny of the default. Router and switch vendors made released their devices with UPnP feature turned-on by default, most probably to reduce support call cost. With the continued popularity of game consoles like Xbox and PlayStation, anyone with a UPnP-enabled router had less time to configure their routers for the consoles to connect to the Internet. UPnP protocols made configuration automated between the router/modem and the console device. This is a huge convenience to end-users, compared to manually configuring port forwarding to enable traffic flow between the console and the router.

And who can forget the nasty EternalBlue exploit, which propagated WannaCry ransomware in 2017, which made its authors $4 billion richer? The EternalBlue exploit, known only to the CIA for a long time, until it got weaponized by cybercriminals to ransomware has used vulnerabilities in UPnP-enabled routers to propagate the network.

Partnered with a broken SMBv1 in Windows XP, Vista and 7, WannaCry wreaked havoc for many business and individual users last year. The damage has been elevated, thanks to system administrators that failed to apply the Windows Update patch, which disabled SMBv1 protocol in favor of the non-vulnerable SMBv2 protocol. Millions of unpatched machines exposed to the Internet, thanks to autoconfiguration of UPnP made a lot of money for the cybercriminals in the process.

The nightmare has not stepped on its breaks, as a new router-based attack named EternalSilence is causing DDoS attacks in recent months. This new botnet is composed of at least 45,000 zombie routers, all of them have a buggy implementation of UPnP enabled. Same as the UPnProxy botnet, the owners of those zombie routers are not aware of what is happening behind their backs.

Users of home routers should educate themselves on how to disable UPnP setting. It can be disabled by accessing the admin page for the router, usually by browsing 192.168.0.1 or 192.168.1.1. The admin page provides the configuration option of disabling the UPnP completely, saving the hassle of the router becoming a member of a botnet causing DDoS somewhere in the world. Some devices may reject connection by default due to the loss of UPnP functionality in the router, but this can be remedied by enabling port forwarding, setting-up a manual port forwarding entry can be found in the manual of the device in question.