What is UPnP, and why should you disable it?

Ruth C. | November 9, 2022

Universal Plug and Play (UPnP) is a set of networking protocols facilitating quick connections between devices on a local network. So, devices can discover and connect to each other seamlessly without much manual configuration. 

Devices that frequently share data over networks include gaming consoles, printers, security cameras, and mobile devices. UPnP allows apps and devices to communicate with each other on a LAN network by opening and closing ports. However, this connectivity convenience comes at a price. 

Researchers have reported multiple incidents involving enabled UPnP. Thus, turning this setting on could expose your device to unnecessary security risks. For instance, hackers could gain control over networks and execute attacks after turning routers into proxy servers.

What is UPnP? Why do people enable it?

UPnP is essentially a connectivity protocol you can notice within the settings of most routers. For security reasons, routers usually have this option disabled by default. 

However, users might enable it manually for reasons like online games or hosting game servers. Other reasons include the following: 

  • UPnP can be useful for wireless streaming when users want to stream content from computers to TVs.
  • It can also facilitate online games when users are unsure which ports should be open. 
  • People can enable the protocol for accessing home surveillance devices remotely.
  • A variety of internet-connected gadgets will be able to establish connections seamlessly with UPnP.

However, UPnP-enabled devices are at risk since no authentication mechanism exists. So, UPnP trusts all devices attempting to join the network. 

As long as it establishes only safe connections, UPnP poses no threat. The issues arise when hackers exploit open ports for malicious tactics. 

UPnP security risks and problems

Hackers have abused enabled UPnP devices for large-scale attacks like Mirai and EternalSilence. Essentially, with UPnP, you have a trade-off between security and convenience. 

You might avoid struggling with port forwarding and figuring out which ports should be open. 

However, this UPnP convenience makes you vulnerable to unknown systems exploiting your network. It might involve direct attacks against you and data theft. However, hackers have exploited devices to cover their tracks during further attacks. 

And such threats are not theoretical. UPnP vulnerabilities have compromised a number of networked devices: 

  • A campaign known as EternalSilence exploited UPnP to transform users’ routers into proxy servers. Then, disguising themselves under victims’ IP addresses, criminals initiated other attacks. 
  • Another instance of UPnP exploitation involved forcing victims into becoming bots for DDoS attacks. The CVE-2020-12695 vulnerability enabled hackers to steal data and inspect internal networks. 
  • A flaw in some Cisco routers exists within the UPnP protocol. It can enable attackers to run arbitrary code on devices. That could result in a DoS attack. 
  • The Flash UPnP attack dates back to 2008. It included a Flash applet that would send requests to open ports. In some cases, the attack changed the used DNS servers. Thus, it was possible to redirect users to malicious websites instead of legitimate ones. 

Initially, UPnP worked exclusively at the LAN (Local Area Network) level. However, its other use cases and flaws have made it insecure. Since no form of authentication occurs, it becomes difficult to guarantee that only harmless connections pass. 

No need for UPnP with port forwarding 

Port forwarding is a much more secure option for users. A little manual configuration with ports can compensate for UPnP. In brief, port forwarding opens ports for external devices to connect to machines on private networks. 

For instance, you might need to open particular ports to allow friends to join your game server. It enables access privileges by directing requests to the correct IP address and port. 

Here are some guidelines for performing port forwarding and opening necessary ports: 

  • The device you plan to perform port forwarding needs to have a static IP address. It saves time as you won’t need to change the settings each time IP addresses change. 
  • You can set up port forwarding through the router’s admin page accessed with the router IP address
  • You should notice port forwarding options within the router admin panel. 
  • You will need to indicate port numbers and the selected device’s IP address
  • The configuration will also include choosing TCP/UDP. You should find which is necessary depending on the purpose of port forwarding. 

So, whenever you need open ports, use port forwarding instead of enabling UPnP. 

How to disable UPnP and protect your devices?

You might need to implement a unique process for turning UPnP off. You can do this on most devices by logging in to your router. Here are some universal instructions that should help you find needed settings:

  1. Enter the public IP address as an URL in your web browser. 
  2. Under Advanced, you should see the NAT Forwarding section. 
  3. Select UPnP and disable this feature.

Users who want to keep using it can try setting up UPnP-UP (Universal Plug and Play – User Profile). It only allows connections that implement authentication and authorization requirements correctly. 

However, not all devices support it. So, the better option is to disable it for good and perform port forwarding whenever necessary. 

Also, consider installing a VPN to reinforce your digital privacy. Tunneling and encryption are excellent options to secure all your online communications and circumvent common geo-restrictions.

Browse safely & anonymously with a VPN

Browse safely & anonymously with a VPN

Encrypt your internet traffic and defend against online snooping, hackers, governments, or ISPs.
Ruth C.

Ruth C.

Cybersecurity Researcher and Publisher at Atlas VPN. Interested in cybercrime, online security, and privacy-related topics.

Tags:

internet of things

© 2023 Atlas VPN. All rights reserved.