To UPnP or not to UPnP

As the internet has changed, so have our lives. We no longer just dial up to find that “you’ve got mail,” instead we stay constantly connected through our phones, tablets, and computers. We are now in the age of never leaving home without a device, and being connected to the internet at all times. Some can’t even imagine going out of range.

These devices that are with us at all times are our own personal Internet of Things (IoT). IoT devices can be baby monitors, home entertainments systems, home security systems, or even a refrigerator fully equipped with a video camera so we can check whether we have milk or not.

I know what you may be saying: “I can’t access my home security system from my smart phone anymore.” This is likely because you have disabled Universal Plug and Play (UPnP) on the router as directed.

UPnP is a set of networking protocols that permits networked devices to seamlessly discover each other's presence on the network and establish services for data sharing, communications and entertainment. In order for your IoT devices to communicate with their respective mobile apps, they have to be accessible to the internet. This is where UPnP comes in. Many IoT devices for home appliances include support for UPnP to make the user installation easier. When a device is plugged into the network, the device will configure itself, acquire an IP address and use a discovery protocol to announce its presence on the network to other devices. If UPnP is enabled on the network router, the device will then communicate with the router to tell it what firewall configuration is needed for the device to be internet accessible.

If UPnP is not enabled by default or has been disabled, then the device will not be able to communicate with the router to request those firewall changes which are essentially port forwarding assignments. The problem is that UPnP was never meant to be exposed to the public-facing internet. In addition, earlier versions were vulnerable to an UPnP Simple Service Discovery Protocol (SSDP) subversion attack. This would allow an attacker to join the internal network from the internet as a NewInternalClient. Disabling UPnP or running an updated UPnP protocol stack will not expose your devices through SSDP, but the devices still need to be accessible for the mobile apps to communicate with them. (You can check whether you are exposed by running the test at https://www.grc.com/su/upnp-rejected.htm)

If you decided to disable UPnP, then you will need to manually configure the port forwarding tables on your home network router to make the devices accessible. This will reduce the potential vulnerabilities of UPnP being exposed to the internet, but technically any device that is configured manually or through UPnP is still exposed to the internet.

Change the default configuration and most importantly, change the default username and make the password difficult to guess. Better yet, turn it all off and go out to the middle of nowhere!

References:

https://www.grc.com/su/upnp-rejected.htm