back to article Here are another 45,000 reasons to patch Windows systems against old NSA exploits

Earlier this year, Akamai warned that vulnerabilities in Universal Plug'N'Play (UPnP) had been exploited by scumbags to hijack 65,000 home routers. In follow-up research released this week, it revealed little has changed. Having revisited its April probing, the web cache biz has come to the conclusion that the security …

  1. Nate Amsden Silver badge

    how about

    turning off UPnP

    https://www.theregister.co.uk/2018/11/08/upnp_spam_botnet_broadcom/

    Never have had a router that supported UPnP myself, well my home broadband connections have always had bridged modems with either Linux or OpenBSD(past 12 years or so) as my gateway.

  2. mrobaer
    Facepalm

    Re: how about

    "Oh, and turn UPnP off, which has been standard advice for a decade." - The Article

  3. bombastic bob Silver badge
    Meh

    Re: how about

    sometimes article details are easy to miss. benefit of doubt. Still good advice. Shut that BLANKING EXCRETION (aka UPnP) OFF!

    (cannot say that enough times)

  4. LDS Silver badge

    Re: how about

    You may want to look at the list of compromised systems - it does include BSD routers (albeit old versions - m0n0wall/pfSense ones??). OpenWRT as well.

    They aren't magically secure - they may have vulnerabilities and bugs as well, and are "secure" only when properly updated and configured - as anything else.

  5. JohnFen Silver badge

    Re: how about

    Indeed. I would also add that being "secure" is an absolute sense is an unachievable ideal. This is pretty much the first law of security, and is why the security world has the truism that you are the most vulnerable the minute that you believe you are secure.

  6. arctic_haze Silver badge

    Re: how about

    Also put and old reliable router you keep in the closet between the new shiny toy from your IP provider and your home network. The old junk is fast enough but it luckily has no clue what UPnP is.

  7. ElReg!comments!Pierre

    Is anyone using UPnP anyway?

    I know a lot of gear used to come with "UPnP" pushbuttons but I've never witnessed anyone actually pushing one. I've seen ticked "UPnP" boxes in config webpages, but when asked, the culprit invariably answers "That? Oh, it was ticked by default, I don't know what it does so I left it alone".

  8. Jack of Shadows Silver badge

    Re: Is anyone using UPnP anyway?

    That button is for WEP validating a device onto your network. UPnP is another kettle of fish entirely. That punches holes in your firewall, if any, to allow any computer or device on your network to automagically connect to the outside world.

  9. big_D Silver badge

    Re: Is anyone using UPnP anyway?

    UPnP is for devices on the internal network to request a dynamically assigned port to be forwarded to them - XBox and PS4 use it for multi player and online games, for example (without it, you would only be able to have 1 device on the network and you would have to manually do the port forwarding), Skype and many other services and protocols also rely on it, but always from inside the network to outside resources.

    The problem is, UPnP can be turned on on any physical network port (as opposed to TCP port), LAN, WAN, Wi-Fi etc. The problem is the second one, many router manufacturers have turned it on by default on the WAN port, meaning that anybody outside the network can ask for port forwarding into the network!

    This is security 101 and the engineers that came out with the bright idea of turning it on on the WAN port will be the first against the wall, when the revolution comes.

    It might be interesting, if there is a case for the engineers and the router manufacturers to be charged with aiding and abetting these attacks.

    That is why the routers should have this turned off by default, or better don't offer the option at all on home routers. If you really want to use routing and port forwarding within segmented networks, then you should be looking at professional devices.

  10. big_D Silver badge

    Re: Is anyone using UPnP anyway?

    @Jack of Shadows and WEP has its own security problems and should be taken out behind the shed and put out of its misery as well.

    As I say above, the problem with UPnP is that it is designed for the internal network and idiot manufacturers are putting it on the WAN port as well and leaving it on by default... Punching a hole from the inside to the outside can be useful and there are legitimate reasons for this. Puncing a hole from the outside to the inside is never a good idea.

  11. ElReg!comments!Pierre

    Re: Is anyone using UPnP anyway?

    That button is for WEP validating

    Funny that it would be labelled UPnP then, and on devices not offering WEP (some not having wireless at all, some not being network equipments) but if you say so ...

    I know why UPnP exists, I just never met anyone using it. But apparently I lived in a shielded bubble of sanity.

  12. ElReg!comments!Pierre

    Re: Is anyone using UPnP anyway?

    the problem with UPnP is that it is designed for the internal network

    The problem with UPnP is that it is designed for lazy bums who can't be arsed to spend the whole 5 minutes it takes to configure their network properly when they get a new toy (/game /printer, whatever).

  13. LDS Silver badge

    Re: Is anyone using UPnP anyway?

    Many people don't know what a "TCP/IP network is" - and it's not a mandatory knowledge. When you use a drug you're not required to be a chemist of physician to understand what's in and how it works - you do expect it work to heal you and not to kill you.

    Network equipment should be "safe by design", the golden age of a "nice Internet" are long gone.

  14. LDS Silver badge

    It's WPS, not WEP...

    The button is usually for WPS - Wi-Fi Protected Setup - which works with WPAx as well.

    It has its own vulnerabilities...

  15. big_D Silver badge

    Re: It's WPS, not WEP...

    @LDS thanks. I knew WEP was wrong when I answered Jack earlier, but I couldn't think of the correct term.

  16. GnuTzu Bronze badge
    Megaphone

    Re: Is anyone using UPnP anyway?

    That would be a topic for a statistical study. But, using it or not, it's exactly the kind of thing that would be on by default--something that too many users wouldn't even know to turn off.

    And then, none of this is shocking. When this thing was created, it was a given that automatic configuration is a chicken or egg problem that requires to much broadcasting of "please come and be my mommy and tell me who to be." So, there is no surprise that any technology along these lines is rife with vulnerabilities.

    I'd like to blame all this on the nature of consumer technology, but it happens there's a protocol (name escapes me at the moment) for administering servers in enterprise environments that just as bad or even worse. Security will never be easy, and we need to be wary of those offering short cuts, which was in fact a topic of discussion when UPnP was created. So, this counts as a "we told you so." Hah!

  17. ElReg!comments!Pierre

    Re: Is anyone using UPnP anyway?

    Many people don't know what a "TCP/IP network is" - and it's not a mandatory knowledge. When you use a drug you're not required to be a chemist of physician to understand what's in and how it works - you do expect it work to heal you and not to kill you.

    Everyone above age 10 is expected to know the basics of medicine safety, electricity safety, the dangers of a bottle of bleach, road safety etc. But suddently when it comes to them 'puters, everyone is expected to be a bumbling moron and stay that way forever? I'm sorry, that is a ridiculous point of view. Especially as with today's ubiquitous config-by-webpage, the instructions on what to do and not do with the medecine you just got are no more complicated than setting up port forwarding (the fact that no-one really reads med notices is another problem ; you are expected to)

  18. JohnFen Silver badge

    Re: Is anyone using UPnP anyway?

    "When you use a drug you're not required to be a chemist of physician to understand what's in and how it works"

    But you 100% should have an understanding of any drug you're taking! Not at the biochemical level, perhaps, but you should know what the drug is doing to you, what the risks of taking it are, etc. People should also have a similar understanding of networking if they're running a LAN.

  19. MrBoring

    Re: Is anyone using UPnP anyway?

    The risks of users setting up their own port forwarding far outweighs the risks of having UPnP enabled,

  20. JohnFen Silver badge

    Re: Is anyone using UPnP anyway?

    How so? If a user screws up port forwarding in a way that introduces a security problem, the damage is still limited to the ports in question. Enabling uPnP risks allowing attackers to reconfigure things to allow much greater damage.

  21. big_D Silver badge

    Re: Is anyone using UPnP anyway?

    People should also have a similar understanding of networking if they're running a LAN.

    I agree to a point. But the problem here is that the technicians that designed the hardware have made an elementary cock-up in the basic configuration of the devices they are selling. If they can't get it right, what hope to non-technical home users have?

    The problem isn't the users, per se, in this case, the problem is the manufacturers putting out a device in a dangerous condition. This is like a car manufacturer selling a car, where they know the brakes won't work in an emergency.

  22. big_D Silver badge

    Re: Is anyone using UPnP anyway?

    @MrBoring UPnP isn't the problem. The problem is, it is a protocol designed for the internal network and the manufacturers of the devices are setting the routers up with the protocol active on the WAN device. That is verging on criminal negligence.

  23. JohnFen Silver badge

    Re: Is anyone using UPnP anyway?

    "The problem isn't the users, per se, in this case, the problem is the manufacturers putting out a device in a dangerous condition"

    I absolutely agree that manufacturers of consumer networking gear are often irresponsible when it comes to default security. But users are on the hook as well. There is a strain of thought that says that consumer tech should be operable by people who don't know what they're doing. I think this is wrong -- networking is a complex topic, and its important that people who are installing, configuring, and maintaining it have some amount of knowledge about what they're doing.

    To go with your car analogy, there aren't very many places in the world where you can legally drive a car without demonstrating a minimum level of competency. Cars are very complicated machines, and people operating them need to have knowledge of how they work in order to do so safely. They don't have to be experts in the sense that they can build or repair them, but they have to know enough to tell when something needs attention and how to safely recover from malfunctions.

  24. Cavehomme_

    Re: Is anyone using UPnP anyway?

    Utter nonsense, configuration of a router requires significant technical knowledge that most people do not possess nor will they possess. To do it properly needs a lot of wider IT related knowledge too. It’s for manufacturers to be more responsible AND accountable.

  25. ElReg!comments!Pierre
    Flame

    Re: Is anyone using UPnP anyway?

    configuration of a router requires significant technical knowledge that most people do not possess nor will they possess. To do it properly needs a lot of wider IT related knowledge too.

    Basic configuration of a HOME router? Surely you jest. It's significantly less complicated than, say, filing your tax report online, or indeed getting your new Windows laptop to work properly. The basic instructions and warnings would largely fit on 2 paper pages. We're talking about people who want Skype or their Playstation to work. These days it's litterally 4 fields on a configuration webpage (originating IP, port ; destination IP, port. That's it.). Some people argue that it's dangerous because lusers might open things they don't want open; that's ridiculous, since UPnP does exactly that but without any oversight -and without the end-user actually realizing that any such thing had happened at all.

    Whith manual settings, you can individually disable each rule as soon as you think you don't need it anymore -just untick the box. Some home routers will even allow you to define specific periods of times in advance. How is that worse than letting any and all device set their own "holes" without you even knowing? (Yes, that is what UPnP does, by design).

    It’s for manufacturers to be more responsible AND accountable.

    Exactly. As much as car manufacturers should be held responsible for any and all car crash, or toy manufacturers should be held responsible for kids jumping out the window because they did not realize that the Superman costume did not grant flight ability. With your patronizing attitude, you -and many more- are that kid's parents.

  26. ElReg!comments!Pierre
    FAIL

    Re: Is anyone using UPnP anyway? @Big_D

    So to summarize some of your points:

    - UPnP is good on the LAN but an abomination when openened to the WAN, yet you cite Skype and online games using it as a plus ( as you may know, Skype and online games use UPnP solely to open ports to the outside). Https://forums.theregister.co.uk/forum/containing/3666819

    - You state that "UPnP can be turned on on any physical network port (as opposed to TCP port), LAN, WAN, Wi-Fi etc" (https://forums.theregister.co.uk/forum/containing/3666819)

    - You think that UPnP is required for LAN gaming because "without it, you would only be able to have 1 device on the network and you would have to manually do the port forwarding" (https://forums.theregister.co.uk/forum/containing/3666819).

    - You have "around 45,000 tracking domains set to 0.0.0.0 (unroutable) in [your] hosts file" ( https://forums.theregister.co.uk/forum/containing/3664779 )

    Am I correct? If so, does that sound even remotely sensible to you ?

  27. LDS Silver badge
    Facepalm

    "the damage is still limited to the ports in question"

    Usually, when a user screw up port forwarding, it adds an any rule because it's the fastest way to make things "working" - so the ports in question are usually 1-65535, on any IP....

    Because most users barely know what an IP is, and ports, forwarding, etc., are beyond their knowledge. They look on Google, and find someone who solved it with the rule above, and hey, it worked. So they do the same...

  28. LDS Silver badge

    "drive a car without demonstrating a minimum level of competency"

    When I took my driving license 30 years ago what they taught (and you needed to know) about car systems were already hopelessly outdated. No way you can do anything on an actual car, but changing a flat tire (and in my car, not even it as it doesn't have a spare but relies on run-flat ones). Open the bonnet, and you won't find almost anything you can operate on, you can refill some oil/water, and check tires pressure, but not much more. You look at the car display, and it tells you what you need to know - go to a repair centre.

    And given the amount of people who drive with a mobe in their hands, often in expensive cars which surely must have a Bluetooth hands-free system, they can't even pair their expensive phones...

    Sure, once upon a time the risk of being stranded with a broken car far away from a phone was very high. You needed to be able to try to repair simple issues. But today?

  29. LDS Silver badge

    "But you 100% should have an understanding of any drug you're taking!"

    Really? You can tell the difference among different type of antibiotics? Sure, you should know that taking an antibiotic for a flu (unless there are complications needing them) is useless, still, how many do that? Do you really know which drugs shouldn't be used together, for example? Which is the recommended dose?

    You can read the leaflet, sure....

    People should know they need to keep their routers up to date. Should be aware of basic network safety. Could be guided to perform simple operations. But asking them to understand networking, is a big stretch...

  30. _LC_
    Devil

    Remember

    Remember not to buy from Huawei as the have evil Chinese backdoors, says the good guy from the NSA...

  31. ivan5

    Re: Remember

    Since the NSA and other 5I are so against them maybe they are the ones we should be buying. I assume they are against them because there are no backdoors they can exploit.

  32. Wellyboot Silver badge

    Re: Remember

    @ivan5 - The NSA & 5I haven't found all of the manufacturers backdoors yet, they just don't want 'the competitiontm' to have any advantage!

  33. JohnFen Silver badge

    Re: Remember

    "Since the NSA and other 5I are so against them maybe they are the ones we should be buying."

    Agencies are well aware than there are lots of people who take this stance, and they have been known to come out publicly against technologies in order to trick those people into using them.

    Don't be for something just because your opponent is against it, and don't be against something just because your opponent is for it. If you do either of those things, you are allowing your opponent to make decisions for you.

  34. Kanhef

    Numbers

    1.7 million hosts behind 45,000 routers comes out to an average of almost 40 hosts per router. Seems like someone's been targeting larger corporate networks, which really have no business using UPnP.

  35. JohnFen Silver badge

    Wow

    People are not only actually enabling uPNP, but they're also using SMB?? That's amazing, and not in a good way.

  36. Garymrrsn
    Thumb Up

    The Really Good Thing Is

    Every time El Reg posts one of these articles, my home network gets a thorough inspection.

    Thank you for all those reminders!

  37. arctic_haze Silver badge
    Holmes

    There are more than 45,000 reasons not to use UPnP

  38. onebignerd

    I'm baffled that people are still using unpatched SMBv1 or even SMBv1 at all, letting WannaCry continue to cause havoc. I found UPnP enabled after reading these articles.

  39. Anonymous Coward
    Anonymous Coward

    UPnP ON by default

    Problem with most routers is that they have UPnP service set to ON by default.

    There are no easy way to disable this on my ISP-provided-router. I already logged in through SSH and connected to my router and studied all possible commands. There's kill command but it won't kill UPnP service, I think I can enable DEBUG mode and then replace the hex code of UPnP in RAM of router but feeding it garbage hex every router bootup is a lot of work due to busy schedule. Replacing this router is not an option because of some hardcoded MAC which connects to and is being verified by ISP.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018