Monday, August 29, 2011

You DO Have UPnP Disabled On Your Home Router, Right?

Unfortunately, the answer is probably "no" if you haven't explicitly turned it off. UPnP stands for User Plug 'n Play, which is a technology built into most or all home routers. Its purpose is to make the configuration of the router by new hardware that you add to your network as hands-off as possible. For instance, the XBox360 uses it to open certain ports (essentially, holes) on the router's firewall so that the XBox can talk to the XBox LIVE mothership and let you play games with your friends on the internet.

UPnP was, at one time, turned on by default in most routers. I don't know if that's still the case, but you should go find out... read on.

In a very early post to this blog I put forth a list of things that you should do to improve the security of your home network. Turning off the router's UPnP was one of those suggestions, the reason being that if you have a machine on your network that gets infected with certain kinds of malware, that program can leverage the UPnP on your router to open up whatever ports on your firewall that it wants to. This can allow the malware to easily communicate with its "command and control" master Somewher Out There On The Internet and receive instructions about what bad things to do to your network and also other networks out there. Examples of what it could do: join up with a "botnet" of other infected machines (not necessarily on your network); steal personal (e.g. financial) data from the infected machine and other machines on your network; send out massive amounts of spam and/or phishing email; and work with the botnet to mount "denial of service" attacks on whomever the botnet's owners are displeased with.

But that is not what prompted me to make this post. There is a newly discovered, additional vulnerability that exists in certain routers (e.g. several very popular models made by Linksys – one of those being the router that I run my home network on!). It turns out that on those routers, the UPnP functionality can be accessed not only from the "LAN side" of the router (i.e. the side that all of your home computers and other devices are connected to, either wired or wirelessly), but also the WAN (Wide Area Network) side – which is the side that's connected to the Internet. This means that the bad guys don't have to have to infect a system on your LAN – they can attack the router directly from the WAN side and turn on ports willy nilly, effectively opening up your LAN (home network) to their bag of tricks.

To be clear: this is really really bad. The researcher that discovered this issue, Daniel Garcia, wrote a freely downloadable utility called UMap that found over 600,000 vulnerable routers, out of about 7 million, or almost ten percent of the routers scanned.

The good news is that you can protect your network against these external attacks by (heard this before?) disabling UPnP on your router. And, chances are that you'll never know it's turned off, unless you have one or more devices on your network (like the XBox360) that needs to have specific ports opened on the router's firewall in order to work properly. In my opinion you should still turn UPnP off and open those ports manually.

If you have something on your network that needs one or more ports open, the procedure to do so manually varies between router manufacturers, so you'll have to consult the router's manual on how to do so. Look for "opening ports" or "port" forwarding. The general idea is that you're going to open one or more ports, or in some cases a range of ports, for a specific IP address (for our example, that of your XBox360). Here are the ports that it needs open in order to talk with the XBox LIVE portal:
  • Port 88 (UDP)
  • Port 3074 (UDP and TCP)
  • Port 53 (UDP and TCP)
  • Port 80 (TCP)
On my WRT54G, setting these ports for an XBox360 that has an IP address of looks like this:

You don't need to open port 80, as it's the port that HTTP works over, and you wouldn't be able to see any web pages if it wasn't open!! So the router opens it automatically.

One final note: once ports are opened/forwarded, they'll stay that way until you close them. It's recommended that you never have any more ports opened at a time than you really need. Trust me, there are nefarious parties out there using automated software to scan every IP address they can find for open ports, particularly some of the ones that can be easily used to to Bad Things (e.g. Microsoft's Remote Desktop, which uses port 3389). An open port is potentially a first step in hacking into a network.