Vulnerabilities in uPNP

I would expect that the responding devices were parts of unsecured home networks. If you want to spare your neighbours the hassle of having to register their own internet access, this is the way to go.

I used to use UPnP - what a relief I don't use it any longer .... I'm now using a Stello U3 to create a USB Perfect naim Player

Those interested can read the White Paper by clicking here. There is also a tool HERE that will tell you if you are vulnerable (it is free, nobody is trying to make money out of this). 

It is only a matter of time before home networks are compromised, not by this, but basic flaws in the security technology inherent in home hubs etc., 

As PH says some people use WEP or don't even put a password on the wireless LAN. So the neighbours, with all their vulnerabilities, could be making a guest appearance. Mine is at least using MAC addresses to stop the casual intruder and a WPA2 password. 

However, this is not (I think) what Rapid7 is talking about, they are looking at your home router from the Internet and seeing what they can see and a UPnP advertisement is one they can. Some folks like to connect to a NAS across the Internet and expose themselves to do this. 

Still just checked and nobody has managed to hack in to my LP12 ... I can't help it if I'm lucky

To be honest I wouldn't worry too much - I mean some people think online banking is safe 

This is another interesting article for those who find such things of interest ... just click and read ... 

Microsoft Windows UPnP vulnerabilities

Please note ... this vulnerability has NOTHING to do with Naim kit .... it is down to your Internet router and vendors including Cisco’s Linksys, Belkin, D-Link, and Netgear produce routers that make themselves and their connected devices susceptible to software bugs. At least 23 million types of connectible devices could be hijacked and permanently disabled, while others would face temporary incapacitation.

The vendors are already working on a fix. 

I knew that routers in general, nothing to do with uPNP, can be vulnerable.  However this flaw is specific to uPNP-enabled devices "...announcing their availability for Internet connection".

The above is very clear, it suggests it is a vulnerability which may affect any uPNP-enabled device (not just routers) which are available for Internet connection.  This may or may not affect Naim.  My thoughts are it is simply one more reason to avoid uPNP.  Now that Naim are about to embrace Asynchronous USB, I will certainly (subject to an audition) be embracing it as well. 

Richard

Richard and Guido -

Thanks for posting this article -- it is a great reminder to all of us who use home routers to access the Internet that care must be taken at setup time.

IMO, it is outrageous that any router manufacturer would ship their product with UPnP enabled through an external port.  Everyone who owns a router should disable this setting immediately.  My Cisco/Linksys E4200 arrived with UPnP enabled as well, and I turned it off at install time. But TBH, I was not even thinking of security at that time -- I was only thinking of performance and efficiency -- I had no need for this service on the router itself.

In fact, the only UPnP service I have enabled is Asset, which runs on a PC server, sitting behind my router's firewall.  It can only be seen by local devices running on my LAN. It is not exposed at all to the Internet, nor are any of the services on my NAS.

It is frightening to hear that the device we rely on for firewall, NAT, and intrusion detection would arrive, setup by default, to allow client systems like my PC server or NAS, to poke holes in my firewall.  Common sense -- security 101 -- would suggest that the one and only one place where holes should be carefully setup and managed is on the router itself.  That's what NAT and port-forwarding is all about.  And it should probably be avoided altogether by non-technical folks.

Clearly the biggest problem here is that home routers are being sold in the millions, but I have yet to see one that is easy to setup and manage by a non-technical person.  By default, all routers should arrive with nothing but basic outgoing access enabled, and everything else should be turned off by default.  Enabling services should be wizard driven with appropriate warnings issued, but we are nowhere close to being there yet.

It's probably also a good idea for owners of routers and NAS devices to take a look at their system log files for evidence of intrusion. UPnP is certainly not the only service that hackers can use to bypass NAT.  FTP, for example, is another easily hacked service that should not be exposed to an external interface.

All that said, none of this has anything to do with using UPnP on your home LAN for providing music service to your audio system(s). If your router's firewall is working, UPnP is safe to use on your LAN. It is only when you want music available through the Internet from any access point worldwide that extreme care must be taken.  Ironically, in the online documentation I've seen, Cisco actually recommends that you do not enable UPnP Forwarding. They instead recommended the use of specific port forwarding when setting up a VPN, because it is more secure and cannot be manipulated by other hosts running the UPnP protocol.  

Bottom line is that if you really want to access your home's UPnP services, then do it right and do it securely through a VPN using IP Security (as Guido has advised here in the past).  Or better yet, just subscribe to Spotify and make do with their music library while traveling.

ATB.

Hook

That is such good sense.  Thank you, Hook.

Richard

Agree totally with Hook. 

For informstion neither Juniper nor a BT Home Hub 3 seem to have these services open by default and neither can host UPnP daemons. So you should be OK. UPnP was not written with security in mind as it doesn't seem to authenticate. Sonos seems far more secure to me. 

The main problem here is external access to a home server, which you may want to do. I think it is easier to use an iPod, but that's me that is. I do not want anybody to access my NAS from outside my home network. So it sits behind my firewall.

Like your goodself, Richard, i use a DAC rather than a streamer, i prefer it. However, i just want to emphasise that Naim expects the user to put its kit, if they are a streamer, on their protected home network. It doesn't expect anybody to stick a UnitiServe on the Internet and stream. 

If anybody wants to do that then I have to agree with Hook that an IP security (IPsec) tunnel or Secure Sockets Layer (SSL) is a safe way to do it. You can get VPN software, there is a VNC client for example that includes this capability, that allows this, but it is not trivial. 

So, lets just say networking has its security issues, but let us not discourage those who are happily using Naim systems to stream music around the house. If you are worried just uplug the router, no Internet, but the Naim kit should still work fine. 

The positive note about this post is it lets folk check their routers ... The web site has utility to do this and do something about it if they get unwanted results. 

LP12s are safer, unless somebody steals all your records. 

I see no mention of uPNP on BT HH3 of this even being an option, does it have another name?

Is this a Windows only problem, as the scanny link earlier is for MS not OSX

No it is not there ... Don't worry if you have HH3 with its firewall switched on and haven't fiddled with it. 

i tested one earlier today and it was fine. 

It is a Windows and possibly NAS problem .. It is only a Mac problem if you have installed a UPnP server like Playback and enabled UPnP access from the Internet through your HH3. 

Those affected are ones like Hook suggested who have a router like the Linksys which comes with insecure defaults. I advise reading the cover of the first instalment of the Hitch Hiker's Guide to the Galaxy or just listen to words of Corporal Jones.   

Howard 

Please CLICK HERE

The first option does an external scan, I expect it to say you're OK. 

"Congratulations! Your router did not respond to a UPnP discovery request" 

Guy 

"Congratulations! my router did not respond to a UPnP discovery request"

Indeed UPnP was designed as far as I can tell for internal domestic LANs, it apears to have little if any security as it is not relevant for it and so I would not expose it externally using a DMZ or port mapping on your LAN unless  YOU KNOW what you are doing - if not dont.

Most consumer internet routers close most things down (and Guy has identified two) from the outside and you have to enable the DMZ or port mapping function - which I guess for anyone who doesn't understand this would not be doing.

Basic internet firewalling security doesn't need to be too complicated but you do need to know sufficiently what you are doing - if not DON'T. Relying on so called PC firewalls is not the answer - especially as these days one has more and more on your LAN. Of course if you set up the firewall to allow traffic in you always test and monitor - never rely on what a router/firewall GUI says and don't rely on uPNP discovery messages....

Simon

Many thanks to all who contributed to this thread.  You've kept it very informative and factual as to where the "risk" originates and resides, and what it does NOT entail.  The latter is equally important.

Cheers!

For anyone wanting to test their network further, I have always used this site to test for general vulnerabilities setting up a router, firewall etc. It will check the state of the first 1056 ports on a router for Open, Closed or Stealth conditions; you should select the ‘All Service Ports’ button.

You will need to click though a page or two to start the test and hope for/expect a sea of green for most secure result. Advice is usually offered should you have vulnerable ports. Scroll down the results page to then run another specific UPnP exposure test on your network.

Peter

Thanks to all.  I feel much more secure after trying Peter's test. 

There is much more to this networking than I will ever be able to master.  So I am especially grateful to Guido, Hook and of course Peter for their help.

i have recently changed over to BT with their Home Hub.  It was very easy to install, just a few mouse clicks and I was up and running.  I just wish my HP wireless printer was as easy.  I have given up on it and have had to connect via a USB lead.  

Richard

Richard the HP Printer SHOULD be a no-brainer.  Mine found my home wifi and was a breeze to get onto my network.  And HP's printer software, for both Mac and Windows, seems to work just fine. 

I wish I had a suggestion for you!

Thanks Peter for reminding me of GRC and Shields Up!!! I have used it a lot in the past when I had Windows PC's. I also set up my Mac and firewalls some years ago so I decided to use GRC to check if I missed anything. Phew... luckily nothing missed and my computers and router does not respond to anything unsolicited. It's amazing how many so called "Stealth mode" connection attempts I see in my system logs.

Thanks and stay safe...

Hi Richard,

This research was brought to my attention some time ago and I was asked about whether it was relevant to our kit (which it isn't) but IMO it is a bit of an excercise in - well, maybe I can't go as far as to suggest "scaremongering" but definitely giving the appearance of a problem far greater than it actually is. 

Definitely the reaction above is a little "knee jerk" in so far the UPnP "flaws" in the document that is being referred to are mainly caused by routers that can have their configurations modified by UPnP commands - UPnP is simply a command protocol or language - in the same way that English is a language.

Many of the problems are caused by well meaning people simply modifying the setups of their routers and enabling options such as UPnP because they think that it's necessary because they're using UPnP for music distribution and not realising that in the case of a router, UPnP usually means that it is able to be reconfigured remotely by UPnP commands.

The issue is more to do with routers having the ability to be administered from the WAN (Internet) rather than just the LAN (local area network) and to suggest that we should all blanket avoid UPnP in this case is a little like suggesting that because there are a large number of criminals that speak English then we should all learn Esperanto instead.

Cheers

Phil

Tre bona rimarko Phil.

There had to be one! :hehe:

Agree wholeheartedly with Phil on the "scare mongering" statement.  This is a router issue, NOT a UPNP issue.

-p