Security researchers have warned that faulty implementations of the Universal Plug and Play (UPnP) protocol in common routers are leaving millions of users at risk of attack.
UPnP was introduced as a solution to the problem of needing to forward ports from a router's external interface to internal systems in order to make internet-facing equipment visible. When routers and gateways were entirely under the control of system administrators that wasn't a problem, but these days nearly every house with an internet connection has a router that uses Network Address Translation (NAT) to connect multiple devices to the internet on a single public-facing IP.
A NAT system blocks incoming traffic by default - not so much as a security precaution, although that's a handy by-product, but because it has no idea to which of multiple client systems the traffic is supposed to be sent. Port forwarding tells the router that all incoming traffic to a selected port should go to a particular client system, but can be too confusing for non-technical types with all its talk of 'virtual servers,' 'IP addresses' and 'port ranges.'
UPnP solves that problem: in a move seemingly designed to give security wonks a heart attack, UPnP allows the client devices themselves to negotiate holes in the firewall. Launch a peer-to-peer file sharing application, for example, and it will typically use UPnP to forward an externally-facing port to your laptop or desktop's internal IP address. When the client software is closed, so is the hole - until the next time it's launched. UPnP also allows for device discovery on the local network: many network printers allow access over UPnP, while the Digital Living Network Alliance (DLNA) media streaming standard is built on UPnP technologies.
One of the key points of UPnP is that it should only be active on the local network: it's one thing to have your internal systems poking holes in your firewall, but quite another for an external system to do the same. Sadly, that most basic point appears to have been ignored by several manufacturers: a whitepaper
released by security research firm Rapid 7 claims that there are around 50 million devices accessible over the internet using the UPnP protocol.
It's a serious problem: NAT provides a handy level of protection against network intrusion, blocking access to vulnerable services on client machines. With UPnP access enabled on the external interface, attackers can easily bypass the NAT to gain direct access to ports on client devices. Still worse, systems that use UPnP to share media have been found to be exposing said media to the internet at large - and while that might not concern those who use media servers to stream the latest TV shows, it's a common feature of smartphones and tablets to be able to share personal pictures and videos over UPnP and related protocols.
The issue has the US Computer Emergency Readiness Team (CERT) worried enough to issue an advisory
telling users that they should consider disabling UPnP - typically just by flipping a setting in the router, although some models have publicly-disclosed vulnerabilities where UPnP remains active even when apparently disabled - until manufacturers update the vulnerable libupnp
software library to version 1.6.18, which explicitly disables UPnP on external interfaces.