Why you should disable UPnP

Ruth C. | July 7, 2020

Universal Plug and Play (UPnP) is a controversial technology, criticized by both privacy advocates and law enforcement agencies. By now, the online community’s united voice suggests one thing: disable UPnP on your devices. From the users’ perspective, the integration of this protocol permits instant connections to the internet for all their gadgets. However, allowing your device to accept all incoming requests is a giant step back in terms of security. Naturally, convenience and privacy do not always go hand-in-hand. Yet, sacrificing some comfort is necessary to prevent unauthorized access to your IoT devices.

What is UPnP?

UPnP is a software protocol aimed at simplifying the management of IoT devices. It automates the process of port forwarding and allows tools to find each other seamlessly. This technology lets users skip the extensive configurations and setups of devices on local area networks. If your system of IoT devices is comprehensive, the preparations before using each gadget can be time-consuming. So, establishing connections seamlessly, without any need for configurations, seems like an excellent way of managing home networks.

There are more reasons why people choose to enable this feature despite its inglorious history:

  • Wireless streaming. For instance, when users want to stream content from their computer to a TV.
  • Accessing home surveillance devices. People will always be able to access cameras remotely.
  • Automating the connection of IoT devices. A variety of internet-connected gadgets will be able to establish connections seamlessly.

Problems with UPnP

Initially, the UPnP protocol became a prevalent technique for managing local networks. Soon enough, the technology advanced to aid the communications outside the original scope as well. Allowing devices in your network to instantly connect to the internet is relatively safe. However, when you instruct routers to facilitate devices outside the local network, it becomes an issue. The UPnP assumes that all connection requests are legit and orders the router to open the door automatically. Sadly, the protocol fails to consider that not all devices are equally reliable.

The fact that UPnP-enabled devices open ports, no questions asked, is a headache for security advocates. By default, the protocol does not implement any authorization, so users need to set these layers manually. There have been instances where the enabled feature allowed routers to forward public ports to personal IoT devices and be open to the internet. Hence, entities outside the home networks bypassed firewall regulations and gained access to devices.

Malicious exploitations with enabled UPnP

The problem intensifies since many routers enable UPnP by default. Knowing that users neglect to review and regularly update certain settings, routers continue to function with this feature. For instance, Mirai attack exploited these default settings. Hackers scoured the internet to find routers with open telnet ports, very likely exposed due to enabled UPnP. After detecting such devices, crooks ran several credential stuffing attacks, using some of the most common pairs. Once hackers gained access to wireless networks, they installed the Mirai malware in devices of unsuspecting users.

Another real-life example of UPnP exploitation is the recently detected CallStranger vulnerability. Certain devices with the enabled protocol expose their users to data loss and DDoS attacks. According to the study, there are many routers affected by this flaw, but not all vendors will offer proper solutions.

How to disable UPnP and protect your devices?

You might need to implement a unique process for turning UPnP off. In the majority of devices, you can do this by logging in to your router. Simply enter the public IP address as an URL in your web browser. Then, under “Advanced,” you should see the “NAT Forwarding” section. Then, select “UPnP” and disable this feature.

Users that do not want to give up convenience can try to set up the UPnP-UP (Universal Plug and Play – User Profile). It only allows connections that implement authentication and authorization requirements correctly. However, not all devices support it. So, the better option is to disable it for good and perform port forwarding whenever necessary. Also, consider installing a VPN to reinforce your digital privacy. Tunneling and encryption are excellent options to secure all your online communications and circumvent common geo-restrictions.

Browse safely & anonymously with a VPN

Browse safely & anonymously with a VPN

Encrypt your internet traffic and defend against online snooping, hackers, governments, or ISPs.
Ruth C.

Ruth C.

Cybersecurity Researcher and Publisher at Atlas VPN. Interested in cybercrime, online security, and privacy-related topics.


internet of things

© 2022 Atlas VPN. All rights reserved.