The Author – Bart Busschots
Creative Commons
Unless otherwise stated, the content on this site is licensed under Creative Commons Attribution, Noncommercial, No Derivative Works 3.0 License
Jan
16
UPnP Router Attacks Happening for Real
Filed Under Computers & Tech, Security on January 16, 2008 at 5:57 pm
Universal Plug and Play (UPnP) has been contentious for a long time. On the one hand it makes it easier to run badly written on-line programs that insist on making connections to you rather than on your making connections to them. If all networked software was written intelligently we’d never need UPnP. But of course that’s not the case. So, people have a choice, manually map the ports they need which takes time and effort, or just enable UPnP and let it take care of it for you. Obviously it’s easier to just enable UPnP but there is a massive flaw in that. UPnP allows routers to be re-programmed without ANY user interaction, without ANY authentication, and in many cases in such a way that it’s not possible to see what changes have been made even from within the router’s web interface. From a security point of view this is nothing short of retarded. It’s because of this that security experts like Steve Gibbson have been advising people to turn off UPnP for years, and why I suggested people turn it off in my recent article on securing your home internet connection.
[tags]UPnP, Security, Routers[/tags]
Today US CERT is warning of a real-world attack that uses flash on web pages to reprogram your secretly reprogram your router via UPnP when you visit an infected website. That’s it, visit a web page and the attackers have control over your router. Woops! For your own sake turn off UPnP as soon as possible if you have it enabled on your broadband router! Since US CERT don’t provide a permanent link to their advisories I’ve included the full text below:
US-CERT is aware of an attack vector targeting networking devices that support UPnP (Universal Plug and Play). This specific attack occurs via a maliciously crafted SWF file that is contained in a web site. When the web site is visited, changes may occur to a router’s configuration via UPnP. This may allow an attacker to change any parameter on the router or device that can be set by UPnP.
US-CERT recommends that users consider disabling UPnP. (Note: Disabling UPnP may cause applications that rely on UPnP to fail or operate with reduced functionality.)
If i remember correctly it is Indeed quite a problem about UPnP and in fact one of the first things I switch of if I get to setup a new hardware router. Being in that buisness tough and having seen some of those hardware routers internals, I’d have to say you probably want to be extra careful with those routers at all. For example, there is a recently discovered flaw in Linksys routers that will allow someone to forge a link which silently reconfigures your linksys to turn the firewall off if you have your config website open at the time you click the link.
Guess people have to realize that they won’t be save by default just because they bought some nifty little box to route their traffic to the net. On the other hand, the amount of knowledge being required to get into a fairly save security setting for the net ain’t ever going to be gathered by any non-geeky individual.
Hi Martin,
There is something I always find worrying about about devices that are hard to update because they require firmware updates. That’s one reason I rolled my own router from an old Dell GX1, two network cards, and a specialized Linux distro.
It is indeed true that security by default is just not going to happen 🙁
Bart.
It is not only that these boxes (I own one) require firmware updates (which are easily to be broken by the user) to become secure, it is also a real problem that you only have a few megabyte memory on those machines, which make more sophisticated security devices quite impossible.
You are usually glad if those things do the standard routing and have a firewall that makes at least a bit of sense (which they at times don’t) and can handle wpa and not just wep…