Homeland Security: Disable UPnP

[Tinman57]

[ I did this years and years ago, just for this reason.  I wonder why it's just now being a big item.  Guess it takes the government this long to react....]

Homeland Security: Disable UPnP, as tens of millions at risk

The U.S. government is warning to disable a common networking feature after bugs have left tens of millions of hardware devices vulnerable to attacks by hackers and malware.

http://www.zdnet.com...s-at-risk-7000010512

[Stoic Joker]

(hay DHS-> Holy no shit batman!

...and they're here to "protect" us. [facepalm]

[Renegade]

It then warns to "disable UPnP (if possible)", along with restricting networking protocols and ports, including Simple Service Discovery Protocol (SSDP) and Simple Object Access Protocol (SOPA) services from untrusted networks, including the Internet.

And there you have it! They finally admit that SOPA is a bad idea~!

[f0dder]

Right, that article doesn't really give much info on what the problem is. I suspect you people's general remarks are focused on UPnP in general, especially in the context of corporate world - but for a lil' ol' home network, it makes life a lot easier... and if you're at the point where somebody could poke an incoming rule into your router via UPnP, well, they're already in your LAN and you're shit outta luck.

Now, the article specifically mentions libupnp, so I guess we're not talking the generic "zomg upnp is bad!" mindset here, but an actual exploitable bug. I wonder if this is something to worry about - if it's not reachable from the internet side of things, it's a fart in a cup of water imho.

Anyway, time to inspect the horse's mouth.

EDIT: done - yep, it's specific vulnerabilities. Rapid7 even has a scanner for it. My router isn't "detected" from it's WAN IP, and on my LAN only the router shows up (as detected, not vulnerable). So I'm keeping UPnP on

[Stoic Joker]

It's still a pointlessly dangerous protocol IMO. Because anything that shows up on/from a web page is already on the LAN, and this "service" is just begging to be exploited. How many people really need to open a port that often?? Damn few I'd suspect.

Most people leave their home routers with the default password...because it's "easier to deal with". So add to that a handy-dandy helper that's just begging to play poke-N-hope and Um... Yeah -Gee Wiz- can't fathom why that wouldn't get beaten like a dead horse at a zombie christmas party.

[f0dder]

It's still a pointlessly dangerous protocol IMO. Because anything that shows up on/from a web page is already on the LAN, and this "service" is just begging to be exploited. How many people really need to open a port that often?? Damn few I'd suspect.

-Stoic Joker (January 30, 2013, 03:20 PM)

Show me how to do nefarious things with UPnP via JavaScript, and I'll reconsider (not saying it can't be done, you can - after all - do AJAX requests from JS... just haven't seen/heard about it).

Need to open a port? Whenever I start my torrent client, actually (randomized port range). Often when installing a game or some application. The crappy web-based GUI of my router is bad enough that I take the lazy way... and for "normal" people, who don't set MAC-based IPs and are tech illiterates, it's a wonderful protocol - even if has security implications

[Tinman57]

  I read in the past that it's better to leave it off, and if you need to set up a device just start it manually through Services, let Windows configure, then turn it back off.

[app103]

Universal Plug and Pray...since I am not into prayer, I have been disabling it in everything, since the WinME days. Since I can get along quite well without it, I have never had a need to turn it back on for anything, not even for a little while.

[f0dder]

Universal Plug and Pray...since I am not into prayer, I have been disabling it in everything, since the WinME days. Since I can get along quite well without it, I have never had a need to turn it back on for anything, not even for a little while.

-app103 (January 30, 2013, 07:42 PM)

Was it introduced already back then? I had the impression it was much later, closer to XP?

(Doesn't help that it's a retarded name, given there was already PnP which has pretty much nothing to do with UPnP).

[f0dder]

I read in the past that it's better to leave it off, and if you need to set up a device just start it manually through Services, let Windows configure, then turn it back off.

-Tinman57 (January 30, 2013, 07:27 PM)

That only takes care of the Windows end, though - my impression was that this DHS warning was more about all the embedded devices it's present in.

[app103]

Universal Plug and Pray...since I am not into prayer, I have been disabling it in everything, since the WinME days. Since I can get along quite well without it, I have never had a need to turn it back on for anything, not even for a little while.

-app103 (January 30, 2013, 07:42 PM)

Was it introduced already back then? I had the impression it was much later, closer to XP?

-f0dder (January 31, 2013, 01:28 AM)

Nope, WinME was where the feature was introduced, along with System Restore. And not long after, UPnP was exploited, and the patch Microsoft issued was very buggy. It made more sense to skip the patch and just uninstall UPnP. Microsoft didn't enable it by default, like they did in XP, but a lot of OEMs did on the systems they sold.

I distinctly remember AOL sending out a bulletin to all of its member explaining why they didn't need UPnP and explaining how to remove it. According to the bulletin, it was meant for "smart appliances" that communicated with each other, and since none of those "smart appliances" existed yet, the feature wasn't needed. If and when people started owning coffee makers and alarm clocks that talked to each other, then you'd need to install it.

They believed that Microsoft was indulging in a futuristic fantasy when they included UPnP in WinME.

[40hz]

They believed that Microsoft was indulging in a futuristic fantasy when they included UPnP in WinME.

-app103 (January 31, 2013, 07:35 AM)

Not so much a futuristic fantasy as it was a "there is no other OS than Windows and no network other than a Windows network."

For the longest time Microsoft had a problem looking beyond their own products. That probably had more to do with many of their security issues and vulnerabilities than anything else.

I remember asking a person from Microsoft about the almost complete absence of internal system security back in the days of their early network design. When said person asked me why that was important, I explained people sometimes try to infiltrate or deliberately crash networks. She looked totally appalled - and then asked me why anybody would ever want to do something like that.

I guess her entire experience (she was very young) was within the cozy campus of Microsoft - where everybody was a geek who always played nicely.
 

[Stoic Joker]

It's still a pointlessly dangerous protocol IMO. Because anything that shows up on/from a web page is already on the LAN, and this "service" is just begging to be exploited. How many people really need to open a port that often?? Damn few I'd suspect.

-Stoic Joker (January 30, 2013, 03:20 PM)

Show me how to do nefarious things with UPnP via JavaScript, and I'll reconsider (not saying it can't be done, you can - after all - do AJAX requests from JS... just haven't seen/heard about it).

-f0dder (January 30, 2013, 03:44 PM)

Just because neither one of us can think of a way to do it doesn't mean it can't be done. Not to mention that most people have many more exploitable (Java/Flash/Adobe Reader) options. Anything that affords the ability to just drive by, pop open a port, and setup shop is a definite risk.

Need to open a port? Whenever I start my torrent client, actually (randomized port range). Often when installing a game or some application. The crappy web-based GUI of my router is bad enough that I take the lazy way... and for "normal" people, who don't set MAC-based IPs and are tech illiterates, it's a wonderful protocol - even if has security implications

-f0dder (January 30, 2013, 03:44 PM)

Here's a thought. If it really is too much of a PITA to log into a router to open a port...then it's safe to assume that you'll not login to close one either ... So how many port do you really have open, and what are they exposing access to?

I'm not a gamer so I can't really speak to that but I've never forwarded any ports to my torrent client yet it seems to work just fine.

To me for average folk the occasional quick call to tech support is safer. Because the chances that they'll find out what they're hosting aren't real good.

[Tinman57]

How to fix the UPnP security holes
 
Universal Plug and Play has always had security holes. Here's how to plug them.

http://www.zdnet.com...ity-holes-7000010584

[f0dder]

Just because neither one of us can think of a way to do it doesn't mean it can't be done. Not to mention that most people have many more exploitable (Java/Flash/Adobe Reader) options. Anything that affords the ability to just drive by, pop open a port, and setup shop is a definite risk.

-Stoic Joker (January 31, 2013, 06:45 PM)

True that there's likely things that can be done even if we can't think of a way to do it - I'm not arrogant enough to think otherwise :-). But I'm still of the opinion that if something is already running on the inside of my LAN, being able to open an incoming port is the least of my worries, and pretty much inconsequential, the damage is already done. And since I'm not paranoid enough to deal with the hassle of outgoing port filtering on the router side, well...

Here's a thought. If it really is too much of a PITA to log into a router to open a port...then it's safe to assume that you'll not login to close one either ... So how many port do you really have open, and what are they exposing access to?

-Stoic Joker (January 31, 2013, 06:45 PM)

I'm running NAT'ed, no "forward all traffic to this host" - for a few well-defined services (http, ssh, minecraft) I have static forwards in the router; that's not too bad a hassle, as it's long-running set-up-once services.

But for short-lived stuff, or things like a torrent client that (for security reasons) randomized it's port on each startup? Nah, can't be bothered. I could live with it if I felt there were any hard security concerns in having UPnP on my home network, but I really don't think so.

Oh, and I'm pretty sure p3lb0x appreciates it as well where he's living - for whatever nazi reasons, our mum doesn't want to give him the router password, so no chance of him adding incoming rules himself :-)

I'm not a gamer so I can't really speak to that but I've never forwarded any ports to my torrent client yet it seems to work just fine.

-Stoic Joker (January 31, 2013, 06:45 PM)

Well, as long as you're only interested in leeching, and are dealing with well-seeded torrents, sure. But if you want to give a bit back, or are dealing with something where you need the protocol's "tit-for-tat" to kick in effect, you really do want to be able to accept incoming connections, not just initiate outgoing.

Keep in mind I'm only talking small home networks here - I definitely wouldn't want UPnP on a business network or something connecting a public wifi hotspot.

[Stoic Joker]

I'm not a gamer so I can't really speak to that but I've never forwarded any ports to my torrent client yet it seems to work just fine.

-Stoic Joker (January 31, 2013, 06:45 PM)

Well, as long as you're only interested in leeching, and are dealing with well-seeded torrents, sure. But if you want to give a bit back, or are dealing with something where you need the protocol's "tit-for-tat" to kick in effect, you really do want to be able to accept incoming connections, not just initiate outgoing.

Keep in mind I'm only talking small home networks here - I definitely wouldn't want UPnP on a business network or something connecting a public wifi hotspot.

-f0dder (February 01, 2013, 03:25 AM)

By "it seems to work just fine", I meant that it is accepting incoming connections. As I generally host anything I download for a day or so...and there is usually quite a bit of activity considering I cap the upstream at 10Mb (my fiber connection is 40Mb symetrical).

[tomos]

How to fix the UPnP security holes
 
Universal Plug and Play has always had security holes. Here's how to plug them.

http://www.zdnet.com...ity-holes-7000010584

-Tinman57 (January 31, 2013, 08:02 PM)

thanks for that -
unfortunately, it sounds like you've got to be pretty much an expert to figure this stuff out

[Curt]

How to fix the UPnP security holes
Universal Plug and Play has always had security holes. Here's how to plug them.
http://www.zdnet.com...ity-holes-7000010584

-Tinman57 (January 31, 2013, 08:02 PM)

thanks for that -
unfortunately, it sounds like you've got to be pretty much an expert to figure this stuff out

-tomos (February 01, 2013, 08:47 AM)

-exactly my thought as well.
So I wrote Agnitum, because:

So what can you do in the meantime? Just keep that firewall up once and for all against UPnP traffic.

-ZDNet

We've survived UPnP until now, maybe all this is not extremely urgent...
I hope for an answer no later than Monday.

[Stoic Joker]

The other network protocol based eyesore that I'm waiting to see ripped apart is Bonjour. Because it's basically self exploiting by design - New device appears on the wire...Bonjour responds with ~hi~~Here's all my stuff...wanna hook up?

[f0dder]

By "it seems to work just fine", I meant that it is accepting incoming connections. As I generally host anything I download for a day or so...and there is usually quite a bit of activity considering I cap the upstream at 10Mb (my fiber connection is 40Mb symetrical).

-Stoic Joker (February 01, 2013, 06:58 AM)

How can it possibly do that if you're NAT'ed, have disabled UPnP and haven't manually set up a port forward?

Now, if your torrent client has made and outbound connection to a peer in order to grab data from it, and that peer only had partial data (ie., is still downloading) and the TCP connection is kept, sure - it'll still be downloading from you. But how would you get an inbound TCP connection if you had no port forward?

Also: fiber? bastard!

[f0dder]

So I wrote Agnitum, because:

So what can you do in the meantime? Just keep that firewall up once and for all against UPnP traffic.

-ZDNet

We've survived UPnP until now, maybe all this is not extremely urgent...
I hope for an answer no later than Monday.

-Curt (February 01, 2013, 10:18 AM)

1) the threat isn't attacks against your computer, it's attacks against various other devices.
2) (totally unrelated to this story, but good general security practice) don't forward UPnP traffic from your router to your LAN.

[app103]

The other network protocol based eyesore that I'm waiting to see ripped apart is Bonjour. Because it's basically self exploiting by design - New device appears on the wire...Bonjour responds with ~hi~~Here's all my stuff...wanna hook up?

-Stoic Joker (February 01, 2013, 11:27 AM)

You mean that misc. crap that gets installed by iTunes, without asking if the user wants it? I considered it malware just based on that, and removed it from my daughter's computer. 

[kyrathaba]

Here was my result using rapid7's ScanNow program:

[f0dder]

Here was my result using rapid7's ScanNow program:
 (see attachment in previous post)

-kyrathaba (February 02, 2013, 03:29 PM)

Same counts I got when scanning my LAN IP range - and zero hits at all when scanning my WAN. Is your router 192.168.1.121? Slightly odd address for that?

[kyrathaba]

Is your router 192.168.1.121? Slightly odd address for that?

I thought that odd too...