back to article UPnP joins the 'just turn it off on consumer devices, already' club

Universal Plug 'n' Play, that eternal feast of the black-hat, has been identified as helping to amplify denial-of-service attacks. Researchers at Imperva looked into misbehaving UPnP implementations after spotting odd attack traffic while analysing a Simple Service Discovery Protocol (SSDP, an Internet proposal absorbed into …

This post has been deleted by its author

Silver badge
Holmes

Doctor, where have you been all this time ?

UPnP joins the 'just turn it off on consumer devices, already' club

A bit late to the party, it has always been in that club, even before the first implementations were tested, the whole idea of UPnP is just silly!

37
2
Silver badge

Re: Doctor, where have you been all this time ?

Quite.

"Allow any local network client to request any external port to be forwarded to any internal port on any internal computer, without notification or authentication".

If you weren't turning off UPnP from day one, you're an idiot.

P.S. No... I do NOT have any problems playing games, talking on Skype, etc. etc. etc. Never have had. And I forward precisely ZERO ports.

P.P.S. Though, technically, you COULD have authentication, nobody has it, uses it, implements it or configures it. Most routers etc. don't even allow you to touch it... it's UPnP on or off, and that's it.

11
1
Silver badge

Re: Doctor, where have you been all this time ?

If you weren't turning off UPnP from day one, you're an idiot.

That's true for El Reg readership, who are the technically capable portion of the population. For the unwashed masses, who want to buy a wireless router and just 'plug it in and go' with the minimum of fuss, if UPnP didn't exist the alternative would be worse: Applications that needed to accept connections from the outside would probably include instructions in how to place your PC in the DMZ and disable its internal firewall.

NAT has a lot of faults, but the security that rather unintentionally comes along for the ride wasn't one of them.

9
2
Silver badge

Re: Doctor, where have you been all this time ?

"Applications that needed to accept connections from the outside would probably include instructions in how to place your PC in the DMZ and disable its internal firewall."

And no such novice computer user has any programs that require that.

That's exactly my point.

Unless you are expecting to be a host server for something, you don't need to bypass NAT at all. Even SIP etc. will work inside NAT and that's a horrible protocol.

5
1

Re: Doctor, where have you been all this time ?

"P.S. No... I do NOT have any problems playing games, talking on Skype, etc. etc. etc. Never have had. And I forward precisely ZERO ports."

Most likely you are playing games that do not require peer-to-peer access between players. Some games, particularly Xbox games, but also PC (eg. Elite Dangerous) do require it however and won't work without either uPnP or manual port fowarding.

As regards Skype, I suspect it falls back to a centralised server (ie. middleman) approach if it cannot establish a direct connection between users.

4
1
Silver badge

Re: Doctor, where have you been all this time ?

That's what Skype does. P2P programs also try this but note that this is suboptimal because you have to rely on a Trent to get you hooked up, and can you trust Trent? Without UPnP or the ability to port forward, you cannot host.

3
0
Silver badge

Re: Doctor, where have you been all this time ?

"Without UPnP or the ability to port forward, you cannot host."

The Orange Livebox comes with UPnP enabled by default (yes, I killed that and WPS the moment I first logged into it). Your sentence, I'm wondering how many people with these routers would even understand what that means, never mind needing it. UPnP is something that should be off until it is required, not the other way around.

5
0
Orv
Silver badge
Black Helicopters

Re: Doctor, where have you been all this time ?

Skype hasn't been peer-to-peer in years. Coincidentally, this change happened right around the time that the US government was leaning on them to make Skype conversations easier to eavesdrop on.

1
0
Silver badge
Coat

Re: Doctor, where have you been all this time ?

If you weren't turning off UPnP from day one, you're an idiot.

If you weren't turning off UPnP from day one, you're a n00b.

TFTFY

2
0
Anonymous Coward

another lesson

"The lesson is simple: sysadmins need to block UPnP from Internet-facing access; and vendors making consumer-grade devices need to make that block the device default."

And every gaming sites need to update their multi-player network advise as well. So many use upnp advise because no-one understand what an IP address or a port is ...

9
2

So many use upnp advise because no-one understand what an IP address or a port is ...

Too right.

For the average Joe, they bought a console to have hassle-free gaming experience.

"Fuck that! If I wanted to fiddle with things, I'd have bought a stupid computer instead!" is the default mindset.

4
0
Silver badge

Re: another lesson

Repeat after me:

NOBODY NEEDS TO FORWARD PORTS UNLESS THEY ARE RUNNING A SERVER.

8
2
Silver badge

Re: another lesson

I'm running lots of servers; my phone, my PlayStation, my DVR, my doorbell, my lightbulb...

6
0
Silver badge
Paris Hilton

Re: another lesson

"NOBODY NEEDS TO FORWARD PORTS UNLESS THEY ARE RUNNING A SERVER."

IPv6 8)

1
4
Silver badge

Re: another lesson

Your phone is not a server. If you nmap it, it likely has zero ports open unless you turn on Wifi hotspot functionality.

Your Playstation is neither (though if it claims that peer-to-peer network requires a port forward because some games producers are cheap and won't run matchmaking servers).

Your DVR may well be. But only if it's not capable of talking out to a central server which acts a proxy like most DVRs do for their mobile apps. Hint: Have you seen the stories for the last 5 years about how insecure DVRs are, the article on BBC News yesterday about the guy who had a DVR open to the world and didn't know, etc.? There's a reason we don't let ordinary people run servers).

Your lightbulb - if you're stupid enough to have networked lightbulbs - I'd hope they only operate internally on your Wifi, but if not then see the DVR answer.

Sorry, but nothing you have REQUIRES a port-forward, unless you are providing an actual service. Running a web server. Running an email server. Running a games server (not just playing games online on other people's servers). All of which require more care about how you do so than the average person can ever give them, which is why we put people behind NAT on home routers.

And if you're doing those things, you want well-known port-number statically entered, the server running all day long, and for it to be advertised to the world. UPnP is not the answer.

I literally turn off UPnP on all devices. Not one person has ever complained, even the couple who brought their XBox 360 to my house and connected it to play multiplayer online. Everything that "needs" port-forwarding doesn't. Unless you are trying to run a server from your home connection and thereby exposing yourself to much worse than anything UPnP can do to you anyway.

5
3

Re: another lesson

You say it's not required, but if game developers are relying on P2P I'd say it is required if that is what you want to do, play the game. You may also be using torrent software for any number of download/upload reasons, I wouldn't say using torrent software should require you to understand networking.

Life isn't as clear cut as, it's not required, turn it off, when in fact people are using it making it required for them.

4
1
Silver badge

Re: another lesson

"Sorry, but nothing you have REQUIRES a port-forward, unless you are providing an actual service."

This. I'm running a small server on my Pi. Port forwarding set up manually. I also have an HP printer that I can print to by emailing PDFs. It has no port forwarding and there is no UPnP yet somehow it all still works...

1
1
Silver badge

Re: another lesson

"Your phone is not a server. If you nmap it, it likely has zero ports open"

Nope. My phone's listening on 443, 5060, 5090 and 9001.

1
0
Silver badge

Re: another lesson

"I also have an HP printer that I can print to by emailing PDFs. It has no port forwarding and there is no UPnP yet somehow it all still works..."

ONLY as long as the HP service behind this remains in operation. What happens when (not if) it shuts down? Then you can't e-mail your printer anymore. That's the catch. Without an open port, you have to go through an intermediary (your printer talks to HP, that's why it works), meaning you place your trust in that intermediary.

2
0

@Lee D Re: another lesson

Whoooooosh!

1
0
Silver badge

Re: another lesson

"What happens when (not if) it shuts down?"

Given the price of the printer...I go buy a different one. ;-)

Your point about intermediaries is valid though, but then aren't so many things dependent upon some sort of third party service? (if nothing else, it means phoning home and telemetry are baked into the service)

Oh look, on this very day... https://www.theregister.co.uk/2018/05/17/nest_outage/

0
0
Silver badge

Re: another lesson

if game developers are relying on P2P I'd say it is required if that is what you want to do, play the game

Yup. And opening the door in mid-flight is required if what you want to do is go skydiving.

That's not really a great reason to have all planes open their doors in mid-flight by default.

Nor is it a great reason to sell routers with UPandGetHacked enabled. Yes, quite a few people want to play multiplayer games that require it. Fine. Let them learn how to turn it on. Consider it part of the game.

0
0
Silver badge

Re: another lesson

They refuse. They want to just JFPTFG, not go through all that network jiggery-pokery. It's like telling people they need to learn how to pump their own gas in order to drive their car in New Jersey (hint: all gas stations in New Jersey are Full Service, by law).

0
0
Anonymous Coward

As much as I would like to see UPnP blocked by default it's not going to happen. The conversation at the ISP (who supply most consumer grade routers) will go something along the lines of what costs more? Supporting users who buy something that uses UPnP or dealing with the extra traffic?

Steps without UPnP (I may miss something here, who knows)

Call ISP support.

Find IP address of device. (No easy task depending on device)

Log into router.

Depending on router make IP address static. (I don't know what default lease time they have these days as I never use it)

Confirm Port and type of outgoing connection required.

Find page for forwarding.

Enter details correctly.

Apply forwarding.

Hope their isn't an issue on device such as a setting or server issue stopping it connecting or allowing connection.

Steps with UPnP.

Plug it in.

If it doesn't work refer customer to device manufacturer.

ISP's could refer people to device manufacturer but lets face it they'll just tell you it's not their router and refer you back because it should have UPnP enabled.

11
6
Anonymous Coward

As much as I don't care if upnp is blocked by default on the internal side (it was only ever used by skype clients, and that's a product in it's death throes), no ISP has any excuse for requiring unchanged admin passwords, unsecured http access, or upnp on the internet side.

Outgoing connections aren't what caused DOS amplification.

8
0
Anonymous Coward

Any device that allows you to call back home from outside the network can use upnp, e.g. security camera, media server, IoT crap etc...

If it was no longer in use then it would most likely be removed.

1
0
Silver badge
Facepalm

UPnP - insecure out of the box

one of the worst designs in UPnP would be the ability of a client to open up a port in any firewall configured for UPnP. In other words, if NAT was (at one time) protecting a computer from being a listening port on "teh intarwebs" for command/control, guess what? UPnP makes that possible, too.

So many levels of wrong. So many security craters. Why is it even "a feature" on routers?

/me thinks we can blame Micro-shaft, somehow...

icon, because, facepalm

5
3
Silver badge
Devil

Re: UPnP - insecure out of the box

Sorry, no MS involvement, this one was the unholy offspring of Cisco, Juniper, and France Telecom.

7
0
Silver badge

Re: UPnP - insecure out of the box

WHY? Because the Internet wasn't built with Stupid Users in mind. Stupid Users who wouldn't know a port if it owned them yet expect their Internet stuff to work from Day 0.

Look, it's either UPnP or increased Help Desk traffic. Pick your poison unless you think people should have a license to use the Internet.

2
6
Anonymous Coward

Re: UPnP - insecure out of the box

... unless you think people should have a license to use the Internet.

Tempting, very tempting. How about a reverse walled garden approach where those without a license are locked into a small subset like only facebook and twitter or something? We could even make licensing as easy as 1, 2, 3.

1. Log into router

2. Ensure UPnP and WAN side logins are disabled

3. Change the default password. Of course changing the password to something like password1 or 123456 will automatically revoke the license.

5
1
Silver badge

Re: UPnP - insecure out of the box

"Tempting, very tempting. How about a reverse walled garden approach where those without a license are locked into a small subset like only facebook and twitter or something?"

Obligatory car analogy

This all reminds me a little of self-driving cars and the road network. People who can't drive are not allowed on the roads but self-driving cars might one day allow people who can't drive out there. uPNP is the self driving car of the internet "superhighway" that allows non-"drivers" out there because it takes away the complications so they don't need to learn to "drive". The downside is that uPNP doesn't put lives at risk so anyone can create their own shitty implementation with no come-back when it fails.

0
0
Silver badge

UPnP is bad, but...

Discover targets on Shodan by searching for the rootDesc.xml file (Imperva found 1.3 million devices);

... is worse.

If you have an open HTTP admin, anything you do is useless.

7
0
Silver badge

What?

"sysadmins need to block UPnP from Internet-facing access"

Sysadmins should never allow it in the first place, if they have, they need sacking.

Now, home boxes, that's a different matter.

4
4
Silver badge
Devil

Now, home boxes, that's a different matter.

Why?

It should have been nuked from orbit before release.

The Router "feature" to have uPNP should never have existed. Let's not forget that even without the internet uPNP on a host (PC etc) is mostly a stunningly bad idea. Automatic install or connection to of something unseen somewhere else on a LAN?

Even apart from the Internet fail, it's a far worse a design disaster than USB HID because anyone could plug something into the LAN. At least with USB the user is actually plugging in the whatever it is*

It should NEVER have been added as a feature on ANY router.

It should be disabled on every PC too. Along with SSDP.

(* If using unknown USB chargers, use a cable that has no data connections. Don't plug in unknown USB things and note what messages appear on screen).

2
1
Silver badge

Re: Now, home boxes, that's a different matter.

So what do you propose as the alternative for people who wouldn't know a port if it pwned them?

2
0
Silver badge

USB cables

(* If using unknown USB chargers, use a cable that has no data connections. Don't plug in unknown USB things and note what messages appear on screen).

So if I borrow a charger, I shouldn't be able to have it quick-charge (because detection of that is done via the data lines)

What about a new charger from a store? do you trust that?

At some point you either have to have a full chain of trust (like with certificates) or you have to take a leap of faith.

Where you draw the line is the important thing. This line may change depending on who you are and what you are doing.

4
0
Silver badge

Re: USB cables

"use a cable that has no data connections"

And that's another thing that "normal" users have never heard of.

I don't think I've ever seen one myself either.

0
0
Gold badge

Re: Now, home boxes, that's a different matter.

"So what do you propose as the alternative for people who wouldn't know a port if it pwned them?"

That's easy. You give them nothing.

Your choice of words is appropriate. They *won't* know a port *when* it pwns them. If your game needs to allow anyone, anywhere, sight unseen, to access your network then you need a new game. People need to learn that the easy way (from us) rather than the hard way (from their bank).

It's really no different to posting naked selfies to a secure part of their Facebook profile. People need to learn not to do that and the choice of teacher is "boring nerd" or "experience". The latter is, famously, a harsh mistress. So ... ask yourself ... are you a fool?

3
0
Silver badge

Re: Now, home boxes, that's a different matter.

So IOW, you want people to have a license to use the Internet, even if they start complaining to the help desks, tying them up.

0
0
Silver badge

Re: Now, home boxes, that's a different matter.

Helpdesk Jocky: Please give me your internet licence number

Caller: I don't have one

<click>

3
0

Re: USB cables without data connections

I have a couple myself. Two mini usb connectors that won't connect a device. Thought they were faulty until I (accidentally) discovered they work fine for charging, and 2 micro USB, one from Jabra, the other from (of all people) Samsung, which have big friendly stickers hanging off them saying 'For Charging Only'. I've verified that by finding myself out in the bush and having to fire a WiFi hotspot up to move stuff between my phone and a notebook.

0
0
Anonymous Coward

Re: Now, home boxes, that's a different matter.

Helpdesk Jocky: Please give me your internet licence number

Caller: Please connect me to your supervisor before I FILE A FORMAL COMPLAINT AND SWITCH PROVIDERS!

0
0
Silver badge

Re: Now, home boxes, that's a different matter.

Your choice of words is appropriate. They *won't* know a port *when* it pwns them. If your game needs to allow anyone, anywhere, sight unseen, to access your network then you need a new game. People need to learn that the easy way (from us) rather than the hard way (from their bank).

Many games use P2P multiplayer. Someone somewhere's got to open a port.

0
0
Silver badge
Meh

Re: USB cables

"I don't think I've ever seen one myself either."

Try with USB battery packs. Or anything that has a USB connection for charging, not data transfer.

Unfortunately when you have several kicking around and they look identical to normal USB cables, it is all too easy to pick up the wrong one, plug phone into computer, then wonder why the thing doesn't pop up the connection confirmation. Oh, yeah, no data... Grrrr...

0
0
Silver badge

Re: Now, home boxes, that's a different matter.

So what do you propose as the alternative for people who wouldn't know a port if it pwned them?

Learn or do without.

Please stop endorsing learned helplessness. For all of human existence, people have demonstrated the capacity to learn how to use things they have good reason (including entertainment) to use.

0
0
Silver badge

Re: USB cables

I don't think I've ever seen one myself either.

I don't know why not. Best Buy sells them. Hell, my local supermarket sells them. They're right next to the other USB cables, and they say "charging only", and they're generally cheaper than the regular (data-carrying) cables. These days, they probably have some sort of security waffle on the packaging too.

0
0
Silver badge

Re: Now, home boxes, that's a different matter.

So IOW, you want people to have a license to use the Internet, even if they start complaining to the help desks, tying them up.

Who else, exactly, is using this alleged ISP help desk?

And if the help desk is "tied up", either the ISP will address that situation, or market forces will correct it (i.e. people will switch), or people will put up with it - just as they do now. I don't find Helpocalypse a persuasive argument.

0
0
Silver badge

Re: Now, home boxes, that's a different matter.

Caller: Please connect me to your supervisor before I FILE A FORMAL COMPLAINT AND SWITCH PROVIDERS!

Caller is welcome to do so. The formal complaint has no material effect, and you're already costing us more than you're worth. Ta!

And, of course, in the US, many consumers have only one viable choice of ISP.

0
0
Silver badge

Re: Now, home boxes, that's a different matter.

"Caller is welcome to do so. The formal complaint has no material effect, and you're already costing us more than you're worth. Ta!"

Be careful. PO'd customers tend to tell their friends. Meaning one defection may be followed by a bunch more...NOT a good thing to report to the higher-ups...

Remember, trust is hard to build and easy to break.

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018