topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 11:41 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: Homeland Security: Disable UPnP  (Read 15601 times)

Tinman57

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,702
    • View Profile
    • Donate to Member
Homeland Security: Disable UPnP
« on: January 29, 2013, 08:27 PM »
[ I did this years and years ago, just for this reason.  I wonder why it's just now being a big item.  Guess it takes the government this long to react....]

Homeland Security: Disable UPnP, as tens of millions at risk

The U.S. government is warning to disable a common networking feature after bugs have left tens of millions of hardware devices vulnerable to attacks by hackers and malware.

http://www.zdnet.com...s-at-risk-7000010512

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Homeland Security: Disable UPnP
« Reply #1 on: January 29, 2013, 09:15 PM »
(hay DHS-> Holy no shit batman!

...and they're here to "protect" us. [facepalm]

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Homeland Security: Disable UPnP
« Reply #2 on: January 30, 2013, 12:36 AM »
It then warns to "disable UPnP (if possible)", along with restricting networking protocols and ports, including Simple Service Discovery Protocol (SSDP) and Simple Object Access Protocol (SOPA) services from untrusted networks, including the Internet.

And there you have it! They finally admit that SOPA is a bad idea~! :P
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Homeland Security: Disable UPnP
« Reply #3 on: January 30, 2013, 10:49 AM »
Right, that article doesn't really give much info on what the problem is. I suspect you people's general remarks are focused on UPnP in general, especially in the context of corporate world - but for a lil' ol' home network, it makes life a lot easier... and if you're at the point where somebody could poke an incoming rule into your router via UPnP, well, they're already in your LAN and you're shit outta luck.

Now, the article specifically mentions libupnp, so I guess we're not talking the generic "zomg upnp is bad!" mindset here, but an actual exploitable bug. I wonder if this is something to worry about - if it's not reachable from the internet side of things, it's a fart in a cup of water imho.

Anyway, time to inspect the horse's mouth.

EDIT: done - yep, it's specific vulnerabilities. Rapid7 even has a scanner for it. My router isn't "detected" from it's WAN IP, and on my LAN only the router shows up (as detected, not vulnerable). So I'm keeping UPnP on :)
- carpe noctem
« Last Edit: January 30, 2013, 11:06 AM by f0dder »

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Homeland Security: Disable UPnP
« Reply #4 on: January 30, 2013, 03:20 PM »
It's still a pointlessly dangerous protocol IMO. Because anything that shows up on/from a web page is already on the LAN, and this "service" is just begging to be exploited. How many people really need to open a port that often?? Damn few I'd suspect.

Most people leave their home routers with the default password...because it's "easier to deal with". So add to that a handy-dandy helper that's just begging to play poke-N-hope and Um... Yeah -Gee Wiz- can't fathom why that wouldn't get beaten like a dead horse at a zombie christmas party.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Homeland Security: Disable UPnP
« Reply #5 on: January 30, 2013, 03:44 PM »
It's still a pointlessly dangerous protocol IMO. Because anything that shows up on/from a web page is already on the LAN, and this "service" is just begging to be exploited. How many people really need to open a port that often?? Damn few I'd suspect.
Show me how to do nefarious things with UPnP via JavaScript, and I'll reconsider :) (not saying it can't be done, you can - after all - do AJAX requests from JS... just haven't seen/heard about it).

Need to open a port? Whenever I start my torrent client, actually (randomized port range). Often when installing a game or some application. The crappy web-based GUI of my router is bad enough that I take the lazy way... and for "normal" people, who don't set MAC-based IPs and are tech illiterates, it's a wonderful protocol - even if has security implications :)
- carpe noctem

Tinman57

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,702
    • View Profile
    • Donate to Member
Re: Homeland Security: Disable UPnP
« Reply #6 on: January 30, 2013, 07:27 PM »
  I read in the past that it's better to leave it off, and if you need to set up a device just start it manually through Services, let Windows configure, then turn it back off.

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
Re: Homeland Security: Disable UPnP
« Reply #7 on: January 30, 2013, 07:42 PM »
Universal Plug and Pray...since I am not into prayer, I have been disabling it in everything, since the WinME days. Since I can get along quite well without it, I have never had a need to turn it back on for anything, not even for a little while.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Homeland Security: Disable UPnP
« Reply #8 on: January 31, 2013, 01:28 AM »
Universal Plug and Pray...since I am not into prayer, I have been disabling it in everything, since the WinME days. Since I can get along quite well without it, I have never had a need to turn it back on for anything, not even for a little while.
Was it introduced already back then? I had the impression it was much later, closer to XP?

(Doesn't help that it's a retarded name, given there was already PnP which has pretty much nothing to do with UPnP).
- carpe noctem

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Homeland Security: Disable UPnP
« Reply #9 on: January 31, 2013, 01:30 AM »
I read in the past that it's better to leave it off, and if you need to set up a device just start it manually through Services, let Windows configure, then turn it back off.
That only takes care of the Windows end, though - my impression was that this DHS warning was more about all the embedded devices it's present in.
- carpe noctem

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
Re: Homeland Security: Disable UPnP
« Reply #10 on: January 31, 2013, 07:35 AM »
Universal Plug and Pray...since I am not into prayer, I have been disabling it in everything, since the WinME days. Since I can get along quite well without it, I have never had a need to turn it back on for anything, not even for a little while.
Was it introduced already back then? I had the impression it was much later, closer to XP?

Nope, WinME was where the feature was introduced, along with System Restore. And not long after, UPnP was exploited, and the patch Microsoft issued was very buggy. It made more sense to skip the patch and just uninstall UPnP. Microsoft didn't enable it by default, like they did in XP, but a lot of OEMs did on the systems they sold.

I distinctly remember AOL sending out a bulletin to all of its member explaining why they didn't need UPnP and explaining how to remove it. According to the bulletin, it was meant for "smart appliances" that communicated with each other, and since none of those "smart appliances" existed yet, the feature wasn't needed. If and when people started owning coffee makers and alarm clocks that talked to each other, then you'd need to install it.

They believed that Microsoft was indulging in a futuristic fantasy when they included UPnP in WinME.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Re: Homeland Security: Disable UPnP
« Reply #11 on: January 31, 2013, 01:16 PM »
They believed that Microsoft was indulging in a futuristic fantasy when they included UPnP in WinME.

Not so much a futuristic fantasy as it was a "there is no other OS than Windows and no network other than a Windows network."

For the longest time Microsoft had a problem looking beyond their own products. That probably had more to do with many of their security issues and vulnerabilities than anything else.

I remember asking a person from Microsoft about the almost complete absence of internal system security back in the days of their early network design. When said person asked me why that was important, I explained people sometimes try to infiltrate or deliberately crash networks. She looked totally appalled - and then asked me why anybody would ever want to do something like that.

I guess her entire experience (she was very young) was within the cozy campus of Microsoft - where everybody was a geek who always played nicely.
 ;D

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Homeland Security: Disable UPnP
« Reply #12 on: January 31, 2013, 06:45 PM »
It's still a pointlessly dangerous protocol IMO. Because anything that shows up on/from a web page is already on the LAN, and this "service" is just begging to be exploited. How many people really need to open a port that often?? Damn few I'd suspect.
Show me how to do nefarious things with UPnP via JavaScript, and I'll reconsider :) (not saying it can't be done, you can - after all - do AJAX requests from JS... just haven't seen/heard about it).

Just because neither one of us can think of a way to do it doesn't mean it can't be done. Not to mention that most people have many more exploitable (Java/Flash/Adobe Reader) options. Anything that affords the ability to just drive by, pop open a port, and setup shop is a definite risk.

Need to open a port? Whenever I start my torrent client, actually (randomized port range). Often when installing a game or some application. The crappy web-based GUI of my router is bad enough that I take the lazy way... and for "normal" people, who don't set MAC-based IPs and are tech illiterates, it's a wonderful protocol - even if has security implications :)

Here's a thought. If it really is too much of a PITA to log into a router to open a port...then it's safe to assume that you'll not login to close one either ... So how many port do you really have open, and what are they exposing access to?

I'm not a gamer so I can't really speak to that but I've never forwarded any ports to my torrent client yet it seems to work just fine.

To me for average folk the occasional quick call to tech support is safer. Because the chances that they'll find out what they're hosting aren't real good.

Tinman57

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,702
    • View Profile
    • Donate to Member
How to fix the UPnP security holes
« Reply #13 on: January 31, 2013, 08:02 PM »
How to fix the UPnP security holes
 
Universal Plug and Play has always had security holes. Here's how to plug them.

http://www.zdnet.com...ity-holes-7000010584

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Homeland Security: Disable UPnP
« Reply #14 on: February 01, 2013, 03:25 AM »
Just because neither one of us can think of a way to do it doesn't mean it can't be done. Not to mention that most people have many more exploitable (Java/Flash/Adobe Reader) options. Anything that affords the ability to just drive by, pop open a port, and setup shop is a definite risk.
True that there's likely things that can be done even if we can't think of a way to do it - I'm not arrogant enough to think otherwise :-). But I'm still of the opinion that if something is already running on the inside of my LAN, being able to open an incoming port is the least of my worries, and pretty much inconsequential, the damage is already done. And since I'm not paranoid enough to deal with the hassle of outgoing port filtering on the router side, well...

Here's a thought. If it really is too much of a PITA to log into a router to open a port...then it's safe to assume that you'll not login to close one either ... So how many port do you really have open, and what are they exposing access to?
I'm running NAT'ed, no "forward all traffic to this host" - for a few well-defined services (http, ssh, minecraft) I have static forwards in the router; that's not too bad a hassle, as it's long-running set-up-once services.

But for short-lived stuff, or things like a torrent client that (for security reasons) randomized it's port on each startup? Nah, can't be bothered. I could live with it if I felt there were any hard security concerns in having UPnP on my home network, but I really don't think so.

Oh, and I'm pretty sure p3lb0x appreciates it as well where he's living - for whatever nazi reasons, our mum doesn't want to give him the router password, so no chance of him adding incoming rules himself :-)

I'm not a gamer so I can't really speak to that but I've never forwarded any ports to my torrent client yet it seems to work just fine.
Well, as long as you're only interested in leeching, and are dealing with well-seeded torrents, sure. But if you want to give a bit back, or are dealing with something where you need the protocol's "tit-for-tat" to kick in effect, you really do want to be able to accept incoming connections, not just initiate outgoing.

Keep in mind I'm only talking small home networks here - I definitely wouldn't want UPnP on a business network or something connecting a public wifi hotspot.
- carpe noctem

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Homeland Security: Disable UPnP
« Reply #15 on: February 01, 2013, 06:58 AM »
I'm not a gamer so I can't really speak to that but I've never forwarded any ports to my torrent client yet it seems to work just fine.
Well, as long as you're only interested in leeching, and are dealing with well-seeded torrents, sure. But if you want to give a bit back, or are dealing with something where you need the protocol's "tit-for-tat" to kick in effect, you really do want to be able to accept incoming connections, not just initiate outgoing.

Keep in mind I'm only talking small home networks here - I definitely wouldn't want UPnP on a business network or something connecting a public wifi hotspot.

By "it seems to work just fine", I meant that it is accepting incoming connections. As I generally host anything I download for a day or so...and there is usually quite a bit of activity considering I cap the upstream at 10Mb (my fiber connection is 40Mb symetrical).

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 11,959
    • View Profile
    • Donate to Member
Re: Homeland Security: Disable UPnP
« Reply #16 on: February 01, 2013, 08:47 AM »
How to fix the UPnP security holes
 
Universal Plug and Play has always had security holes. Here's how to plug them.

http://www.zdnet.com...ity-holes-7000010584

thanks for that -
unfortunately, it sounds like you've got to be pretty much an expert to figure this stuff out :(
Tom

Curt

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 7,566
    • View Profile
    • Donate to Member
Re: Homeland Security: Disable UPnP
« Reply #17 on: February 01, 2013, 10:18 AM »
How to fix the UPnP security holes
Universal Plug and Play has always had security holes. Here's how to plug them.
http://www.zdnet.com...ity-holes-7000010584
thanks for that -
unfortunately, it sounds like you've got to be pretty much an expert to figure this stuff out :(

-exactly my thought as well.
So I wrote Agnitum, because:

So what can you do in the meantime? Just keep that firewall up once and for all against UPnP traffic.
-ZDNet

We've survived UPnP until now, maybe all this is not extremely urgent...
I hope for an answer no later than Monday.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Homeland Security: Disable UPnP
« Reply #18 on: February 01, 2013, 11:27 AM »
The other network protocol based eyesore that I'm waiting to see ripped apart is Bonjour. Because it's basically self exploiting by design - New device appears on the wire...Bonjour responds with ~hi~~Here's all my stuff...wanna hook up?

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Homeland Security: Disable UPnP
« Reply #19 on: February 02, 2013, 05:37 AM »
By "it seems to work just fine", I meant that it is accepting incoming connections. As I generally host anything I download for a day or so...and there is usually quite a bit of activity considering I cap the upstream at 10Mb (my fiber connection is 40Mb symetrical).
How can it possibly do that if you're NAT'ed, have disabled UPnP and haven't manually set up a port forward?

Now, if your torrent client has made and outbound connection to a peer in order to grab data from it, and that peer only had partial data (ie., is still downloading) and the TCP connection is kept, sure - it'll still be downloading from you. But how would you get an inbound TCP connection if you had no port forward?

Also: fiber? bastard! :)
- carpe noctem

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Homeland Security: Disable UPnP
« Reply #20 on: February 02, 2013, 05:41 AM »
So I wrote Agnitum, because:

So what can you do in the meantime? Just keep that firewall up once and for all against UPnP traffic.
-ZDNet

We've survived UPnP until now, maybe all this is not extremely urgent...
I hope for an answer no later than Monday.
1) the threat isn't attacks against your computer, it's attacks against various other devices.
2) (totally unrelated to this story, but good general security practice) don't forward UPnP traffic from your router to your LAN.
- carpe noctem

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
Re: Homeland Security: Disable UPnP
« Reply #21 on: February 02, 2013, 06:45 AM »
The other network protocol based eyesore that I'm waiting to see ripped apart is Bonjour. Because it's basically self exploiting by design - New device appears on the wire...Bonjour responds with ~hi~~Here's all my stuff...wanna hook up?

You mean that misc. crap that gets installed by iTunes, without asking if the user wants it? I considered it malware just based on that, and removed it from my daughter's computer.  ;D

kyrathaba

  • N.A.N.Y. Organizer
  • Honorary Member
  • Joined in 2006
  • **
  • Posts: 3,200
    • View Profile
    • Donate to Member
Re: Homeland Security: Disable UPnP
« Reply #22 on: February 02, 2013, 03:29 PM »
Here was my result using rapid7's ScanNow program:

2013-02-02_152452.png

« Last Edit: February 02, 2013, 03:48 PM by kyrathaba »

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Homeland Security: Disable UPnP
« Reply #23 on: February 02, 2013, 06:10 PM »
Here was my result using rapid7's ScanNow program:
 (see attachment in previous post)
Same counts I got when scanning my LAN IP range - and zero hits at all when scanning my WAN. Is your router 192.168.1.121? Slightly odd address for that?
- carpe noctem

kyrathaba

  • N.A.N.Y. Organizer
  • Honorary Member
  • Joined in 2006
  • **
  • Posts: 3,200
    • View Profile
    • Donate to Member
Re: Homeland Security: Disable UPnP
« Reply #24 on: February 02, 2013, 06:45 PM »
Is your router 192.168.1.121? Slightly odd address for that?

I thought that odd too...