Most Home Routers Vulnerable to Flash UPnP Attack

An Anonymous reader noted that some folks at GNU Citizen have been researching UPNP Vulnerabilities in home routers, and have produced a flash swf file capable of opening open ports into your network simply by visiting an unfortunate URL. Looks like Firefox & Safari users are safe for now.

Nothing new, really

[Billosaur]

It all hinges on going to a malicious web site. Just like email trojans, if you resist temptaion and use some common sense, do you really have to worry about this?

Re:Nothing new, really

[someone1234]

Yes. You may not be sure if a site is malicious or not, without visiting it.
And some sites may become malicious suddenly because of all those syndicated ads around.

Re:Nothing new, really

Well yes. If you never visit a site with adverts. Or the Internet as it's otherwise known. Sure, you can block them (and I do) but sometimes sites switch to new providers and you are vulnerable for the time it takes to update the block file.

I'm not really surprised to be honest - I always thought UPnP looked fishy to me so I disabled it on my router. I don't like the idea that anyone coming to visit can plug in their malware-ridden Windows laptop and reconfigure my router. Sure, having it turned off means X-Box Live is less happy but that only decreases the number of people who can call me "fag" on a daily basis. I wonder if Microsoft will update the X-Box Live support page where they say that UPnP doesn't make your network insecure...

I also have Flash disabled by default because it is well known to be insecure and buggy and a delivery system for malware. Most proper web-browsers either let you enable flash on a per-site basis or will allow you to do so with a plug-in and this is really the way to go.

Re:Nothing new, really

[KDR_11k]

For things like Flash it's easier to maintain a whitelist but I agree with your point, anything that can be loaded automatically by the browser in the default settings is seriously dangerous.

Re:Nothing new, really

[lordofwhee]

Let's not forget XSS attacks, this is the kind of thing they're perfect for.

Re:Nothing new, really

[Lumpy]

Yup, I have seen people computers infected from msn.com the banner ad's were at one time installing spyware from the default IE home page.

All it takes is to get your nastyness in a bunch of Ad rotations from doubleclick and other scumbag webad companies and you can hose a huge swath of the net.

Re:Nothing new, really

[somersault]

Adblockers ftw!

PS lolfag ;)

Re:Nothing new, really

[Nullav]

Yes, but the social engineering requirement is more or less gone in this case. It takes substantially less work to convince someone to click a link than to download a file. (Granted, Bonzai Buddy got people by just being a purple ape.)
Why, look no further than the MyMiniCity/Goatse/2girls1cup links being posted here in every thread! At least one person clicks and ends up warning others. (Either by downmodding or posting.) Why, you just need someone who's curious enough to click.

On the other hand, it requires a bit of work to get someone familiar with malware to click on a 'you just won' banner and download the mystery prize. Don't even get me started on random email attachments following nonsense messages.

Re:Nothing new, really

[Brian+Gordon]

I agree, UPnP always seemed like a bad idea to me.. it's just fills up your network with multicast spam for lazy people who don't want to set up a proper network. Clients should have no control or peer-to-peer interaction.. networking is all about security, and doing everything server-side keeps things secure.

Re:Nothing new, really

[jandrese]

The annoying thing about it is that applications (especially games!) are written these days assuming you're either directly connected or behind a uPNP router. I had a hell of a time trying to get C&C3 working over my BSD based router because it assumed I was using uPNP.

Re:Nothing new, really

[Hatta]

What syndicated ads?

Re:Nothing new, really

Is their any other grammatical and spelling rules we should no about?

Re:Nothing new, really

[kilodelta]

That is the problem. It seems as though Flash is the way to go on this and if you're running Firefox you just run the Flashblock add-on. It puts a little 'f' where the flash module wants to run. Between Flashblock and AdBlock I love the web.

Re:Nothing new, really

[sexconker]

Yeah, damn IE for loading html automatically with the default settings.

Re:Nothing new, really

[eat+here_get+gas]

Firefox with AdBlock+, EasyElement, EasyList, SpyBot S&D, SpywareBlaster, disable Flash and UPnP, SMC Barricade 7004VBR (w NAT and firewall)...what's the problem? I've been running this for several years with no infections.
99.9% of the shiit that gets blocked by these programs I don't need/want/miss anyway.

Re:Nothing new, really

[mcmonkey]

Yup, I have seen people computers infected from msn.com

Isn't that redundant? The GP already stated,

It all hinges on going to a malicious web site.

Re:Nothing new, really

[Brian+Gordon]

I don't even understand how that can be a problem.. why doesn't it just send packets through the gateway instead of screwing around with UPnP?

Re:Nothing new, really

>PS lolfag ;)

TMI, but congrats, I guess.

Re:Nothing new, really

[cheater512]

I use Linux with Seamonkey and..... uuhhh nothing else.
No infections either. :)

It looks like your doing everything except the simplest solution.

Oh and yes I use UPNP.

Re:Nothing new, really

[Cal+Paterson]

Firefox with AdBlock+, EasyElement, EasyList, SpyBot S&D, SpywareBlaster, disable Flash and UPnP, SMC Barricade 7004VBR (w NAT and firewall)...what's the problem?

That none of this is default?

Re:Nothing new, really

[Some_Llama]

"Firefox with AdBlock+, EasyElement, EasyList, SpyBot S&D, SpywareBlaster, disable Flash and UPnP,"

but then you're not "supporting" the websites you visit?

Re:Nothing new, really

[Drgnkght]

I'd guess that it is trying to forward ports on the router. Every program I've ever seen that used UPnP used it to forward ports. (Does UPnP even have any other use? Serious question, btw.)

Re:Nothing new, really

[darkfire5252]

Firefox with AdBlock+, EasyElement, EasyList, SpyBot S&D, SpywareBlaster, disable Flash and UPnP, SMC Barricade 7004VBR (w NAT and firewall)...what's the problem?
The problem is that 90% of computer users either don't know what that stuff is, don't have it installed, or (most likely) both.

Re:Nothing new, really

[Some_Llama]

"off means X-Box Live is less happy but that only decreases the number of people who can call me "fag" on a daily basis."

Imagine how far it would decrease if you stopped posting on slashdot... fag.

Re:Nothing new, really

[kinabrew]

I use Firefox on OS X behind an Airport Extreme(which supports NAT-PMP and not UPnP).

I feel pretty safe.

Re:Nothing new, really

I also have Flash disabled by default because it is well known to be insecure and buggy and a delivery system for malware

Compared to your average web browser, Flash Player has fewer security vulnerabilities. It does provide a single source of attack, though, so you'd have a point there if you'd said anything more useful than "insecure". Buggy? As a Flash developer (full disclosure and all), I've found my fair share, but I'd compare it's bug count as equal to any other software. Malware? If you've caught malware from Flash Player, I'd like to meet you. Seriously, you're in the extreme minority. Flash Player is sandboxed more heavily than the Java runtime.

Re:Nothing new, really

[davros74]

I just ran into this with XboxLive and Open NAT vs Moderate NAT. I have a dual-homed Linux box as a firewall, so UPnP is rather a pain to setup, and I didn't really like the idea of enabling such a beast on my firewall (which filters both inbound AND outbound packets - even on the LAN side).

Turns out UPnP is just an easier way to get XboxLive to work but NOT required. If you have an iptables based Linux firewall, just log all blocked/dropped packets while doing an XboxLive Connection test, then go back and enable those ports both directions (I had to use a combination of state tracking outbound connections, enabling forward rules both ways, and also doing DNAT on some unrelated incoming packets on the INPUT chain). I believe the main ports are 88, 1026 and 3074, mostly UDP. After fixing all blocked/logged packets during the XboxLive test, XboxLive reports my connection as OPEN NAT instead of moderate (but with the firewall still fully functional and filtering both ingress/egress packets). The key for me was to enable incoming 3074 UDP packets using DNAT to my Xbox360 IP and also enable WAN->LAN forward chain for the same ports. My Xbox360 has a staticIP so DNAT is rather easy to configure.

I am much happier with the iptables solution to get Open-NAT status instead of installing/configuring UPnP, or replacing my linux firewall with a Hasbro one (I actually do have a "Hasbro" one behind my linux firewall - mostly to serve as a 802.11g access point). UPnP is also poorly named. Most people think it has something to do with USB or other "Plug and Play" external devices, like HDDs and flash cards. Little do most people know it has to do with punching holes in your firewall, and it's enabled by DEFAULT in Windows (and most routers). There's really no excuse for it - instead of publishing online help such as "Get a router that supports UPnP", Microsoft could just come out and say "open and forward these ports to your Xbox360". A lot of people know how to add port forwarding and such on their routers. It's not rocket science. UPnP is completely insecure if enabled on a router. There's no protection from a rogue UPnP client at all.

Re:Nothing new, really

[jandrese]

Yeah, that the whole point of uPnP. Usually these games use UDP streams on random ports to communicate, so if both players are behind a NAT it can be a problem.

Re:Nothing new, really

[bigpresh]

It's you're not your you stupid fucking illiterate shit! For fuck's sake, how hard is it to get such simple grammar correct!

If you're going to ask a question, you end it with a question mark.

Re:Nothing new, really

[Brian+Gordon]

Well that's dumb.. the client should query the server for updates and attach its own updates, the server shouldn't be trying to push them

arxiv

I believe there is a paper covering this on arxiv.

Turn off UPNP

[russ1337]

I thought the recommended steps for setting up a router were:

A. Unbox
B. Throw away the disk
C. Plug in your machine, Turn on the router and navigate to the webgui
D. Turn off UPNP
E. ??? (Change default name and password, set WPA, Turn off SSID etc....)
F. Profit...

The point is, I'd always been told to turn off UPNP 'cos sooner or later something is going to open ports that you don't know about.

Re:Turn off UPNP

[Corporate+Troll]

Change default name and password, set WPA, Turn off SSID etc....

I'm okay with all of that. The only thing I never get is why to turn off the SSID broadcast. If it's well secured, it doesn't matter if they know it's there or not. Besides, I'm pretty sure that just listening to traffic will reveal the presence of a wireless network.

Re:Turn off UPNP

[Z-MaxX]

I thought the recommended steps for setting up a router were:
... D. Turn off UPNP I guess that is the wise choice. But UPnP is very handy for me because my home machines always get different IPs from my router, so if I want to port-forward BitTorrent ports to me laptop, desktop, etc., I have to go in and change the port-forwarding config on the router every time I get assigned a new IP. Big PITA. But then I discovered how Azureus can use UPnP to automagically forward the ports for me on the fly. It seems to work fine. Too bad it's a security risk.

Re:Turn off UPNP

[yuna49]

BitTorrent users often use uPNP to punch a hole through the router for torrents. Many torrenting "how-tos" specify using uPNP for this purpose, and it's commonly enabled in many BT clients like Azureus and uTorrent. For most of these people, uPNP is a godsend since it eliminates the need to mess around with portforwarding in the router configuration.

Re:Turn off UPNP

[FlashBIOS]

See if your router supports port triggering or look for that feature in your next router. It is a way to automate port forwarding, and would help you in your setup without being the security risk UPnP is.

Re:Turn off UPNP

[bjackson1]

You could just do DHCP reservations.

Re:Turn off UPNP

[EvilRyry]

Right. And it's also rather annoying when you do a quick look around to find a vacant channel. "Oh look, no one is on channel 1, lets use that!" Only to find out a short while later that 5 networks are using that channel, but all of them have SSID broadcast disabled.

Anyone who can break into your wifi can probably find your SSID if broadcast is disabled, all you need to do is wait and listen.

Re:Turn off UPNP

[pipatron]

Configure your DHCP server (your router in this case) to always give the same IP to the machines that you run server software on. It's trivial, really.

Re:Turn off UPNP

[Firehed]

Like so many things, UPNP is a tradeoff between security and convenience. Want a stronger password? You have to type in an annoying password every time you want to do anything. Want secure WiFi? Then make sure you write down your 64+character alphanumeric nonsense passphrase and be sure to add your MAC address into the allowed users table, after going through a second insane password to hit your router's config panel. Want to lower the risk of a break-in? Then set or open both a lock and deadbolt every time you pass through the door.

In the case of UPNP, I go for convenience. I know the risks, but I also know enough about how to avoid this that the convenience is worth the risk for me.

Re:Turn off UPNP

[Tim+Browse]

Er, you 'don't get' the whole 'change default password crap'? Even though you 'usually' look up the password on a 'list of manufacturer default'?

Want to run that by us again? :-)

Re:Turn off UPNP

[binaryspiral]

For most of these people, uPNP is a godsend since it eliminates the need to mess around with portforwarding in the router configuration.

If uPNP is a godsend to those people... they need to get a better God.

Re:Turn off UPNP

[MBGMorden]

The other funny thing is that he claims to be "completely crashing a router so it resets to factory defaults". Now most of them, do that after a firmware update (but you have to already have admin access for that, so no glory there), or if you do a a hardware reset, in which case you no physical access to the device. I have NEVER heard of any router that will reboot with factory default settings if it crashes (and believe me, my first D-Link router several years ago crashed on a near daily basis - the poor little processor inside of it couldn't keep up with the number of connections my P2P software was making).

Re:Turn off UPNP

[Tony+Hoyle]

UPNP can be blown wide open with well crafted perl script. It has zero authentication and most implementations even allow portforwarding to machines outside the LAN.

Basically if you're going to enable UPNP you might as well disable all your other security as well in the name of convenience.

Re:Turn off UPNP

[Joe+The+Dragon]

You forgot one big step UPDATE the firmware

Re:Turn off UPNP

[mzs]

I just have two ports open for this. You only need it for the initial incoming connection. I only had to do it once.

Re:Turn off UPNP

[ookabooka]

Agreed. I'm sure there are even games that support uPnP so when you host a game, the appropriate port is automatically forwarded. IMO, if you keep a tidy computer network with virus scanners on your computers and scan for malware, then it's not much of an issue. It's still better than hooking up your computer directly to the internet and having window's services exposed. You have to compromise the computer before you can use UPnP to allow the attacker in anyways. What's so bad about having a lock thats easy to disable from the inside? It basically comes down to ease of use versus security. I happen to think the benefits of having programs being able to quickly do port forwarding themselves so I don't have to outweigh the possibility that someone can use the same ability to make a trojan work because I feel I am relatively safe (I'm not an idiot and acknowledge nothing is 100% foolproof) against such security breaches.

Re:Turn off UPNP

[mweather]

You forgot the part about installing a dedicated firewall.

Re:Turn off UPNP

[mzs]

Or just give them static IPs. You can have the rest via DHCP for convenience even if the IP is fixed.

Re:Turn off UPNP

[morgan_greywolf]

You're right, but many routers do NOT support this feature out-of-the-box, the most notable of these being the WRT54G.

Personally, I just run a standard ISC DHCP daemon on one of my boxes and then configure it to dole out addresses to machines that need 'static' IPs for server functionality. I also have a dynamic port range for other boxes and devices that can change without any adverse effects.

On a Linux machine (currently there are packages for Ubuntu, Debian and Fedora, plus some others), this can be made easy by the use of the gadmintools' ghdpcd.

Re:Turn off UPNP

[morgan_greywolf]

Using true static IPs is much less convenient than configuring a dhcp server to dole them out. One problem is moving a machine (like a laptop or lan-party gaming computer) between networks -- static IPs can make things sticky.

Re:Turn off UPNP

[KiloByte]

But with your computer having 1e38 fans noisily buzzing around when you sleep, and guzzling power like American cars guzzle gas, why would you even bother running torrents on your personal machine? It's so much more efficient to do that on the damn router itself.

Re:Turn off UPNP

Yes, but the fact it's convenient doesn't change the fact that UPnP is a fundamentally stupid and broken protocol. Exploiting it is NOT a new phenomenon, it's been going on since it was introduced. If a LAN client wants to open a port then fine, but they should have to authenticate and supply a password ... preferably a unique one written on the bottom of the router WPA-PSK style, rather than "admin" or "linksys" ...

Re:Turn off UPNP

[SpacePirate20X6]

Perhaps it is a good thing, then, that there is some technical barrier required in order to use something. If you want it that bad, maybe you should work for it.

Re:Turn off UPNP

[MMC+Monster]

If your router doesn't support this feature, you may want to consider changing the firmware of the router.

I am using DD-WRT (http://www.dd-wrt.com/wiki/index.php/Main_Page), and it's much more functional than the original firmware of my linksys WRT-54GL router. It's also rock stable, once it's installed (Just follow the installation directions closely).

Re:Turn off UPNP

[iCEBaLM]

WRT54G (Arguably the most prolific consumer grade router in existence) does support static IP assignments via DHCP.

Re:Turn off UPNP

[_.-+thimk!+-._]

There are a couple of principles you seem to be missing, starting with the idea of relative security. It is possible to make a wireless network 'more secure' than it is, as configured by default out of the box. It does help, in the same way that improving the security on the average home helps. Will it stop someone determined to get in? Very probably not. Can you make it easier for someone to go to the house next door, that has not implemented any of the steps to secure themselves? Yes. As a rule, people are usually lazier than they are determined to get into one specific network. If folks are serious about wanting a secure network, there are all sorts of things they can do. Most of them involve not having a wireless connection, or spending a *lot* more time, money, and effort on it than folks do on the average home network. Having noted that, let's look at your list.

Hidden SSID: One commonly expressed theory behind hiding a SSID is similar to why you lock your car. If your car is locked, it's a less attractive target than one which isn't. Hiding your SSID does make a network a less obvious target than one which is visible. It doesn't impede any serious search for networks by someone knowledgeable, but it will remain hidden to casual view. Is this vaguely inconvenient? Possibly, but then, really, so are locks. Really, I've never been so fond of that analogy.

If you like, I think a better analogy might actually be that hiding your SSID is like planting a bush in your front yard that obscures a direct view of your front door. It doesn't really make your door any more secure, in and of itself, but it might make it less obvious that there's a door there to begin with. Someone simply walking by might not notice it, but someone sitting in their car, watching folks come and go is sure to notice it. It just makes it more likely that a casual passerby might try one of the obvious doors nearby to see if they can get in, rather than trying yours.

MAC Filtering: Similarly, MAC filtering is better than not MAC filtering. The observer can't get on the network unless they spend enough time analyzing active traffic to sift for MAC info. Yes, with the right tools 'enough time' is relative, and not all that long. But, if you're not around using your wireless network when they're doing the analysis, it's difficult to obtain that info, since your MAC isn't being broadcast to begin with. Is it perfect security? Not by any means, but, again, it's a lot easier to get onto a network that's not using it than one which is. Not everyone is running Kismet with a wireless network card configured in promiscuous mode, and even with the number of folks who are, most are more likely to roll a half block down to the completely open network that's almost invariably there than spend time trying to get onto the more secure network, simply for the challenge of it.

Change the default password: If you seriously don't understand this, then you are completely clueless, regardless what tools you're using. Just because you can guess a few passwords using the short list that unimaginative folks commonly use doesn't mean that you can guess any password. (Of course, script kiddies commonly don't have any idea why what they use works, but that doesn't mean it doesn't.) If you were thinking at all about what you were writing, you'd see you make the point yourself as to exactly why it's important. You commonly 'just look up manufacturers default passwords'. If they set a proper password, it makes things more difficult, and you have to try to guess it. With a good password, you're not going to simply guess it.

Crashing the Router: As for your alternative, no decent router should ever come back up with the factory presets after a simple crash. It should always come up with the custom settings, or, failing that, remain hung until manually reset by hand. Even if they do come up with the factory defaults, for modern routers at least, that should be with the external management interface disabled.

Not

Re:Turn off UPNP

[d3ac0n]

Wait...

You people actually run consumer-level commercial wireless routers?

Apparently I'm the only one here that runs a Smoothwall router and a separate wireless bridge connected to a DMZ'ed network. Wired connections on the normal network, wireless on the DMZ. Soon I'll be upgrading to include a wireless card in my smoothie, and it will run everything. What self-respecting geek actually uses consumer-end garbage and doesn't DIY a proper router/firewall?

I AM on Slashdot, right? ;)

Re:Turn off UPNP

[Corporate+Troll]

Hiding your SSID does make a network a less obvious target than one which is visible.

Security through obscurity, eh? Ehm, just saying: the SSID transferred plaintext". Oh, and the equivalent of locking your access point, is not hiding the SSID, but encrypting all connections.

Re:Turn off UPNP

[InvisiBill]

WRT54G (Arguably the most prolific consumer grade router in existence) does support static IP assignments via DHCP.

Certain versions, at least, do not. That was the main reason I switched to DD-WRT. The compact version also did not support it last I knew (a friend has this router).

But yes, even the D-Link DI-704 that I purchased in 2000 for $20 (i.e. it was really cheap a really long time ago) did support reserved DHCP, and I'll never again use a router without it. I personally find it unforgivable that Linksys' instructions for port forwarding essentially tell you to completely disable DHCP and just manually configure every device on your network.

Re:Turn off UPNP

[Temujin_12]

I think you mean UDP hole punching (aka: NAT traversal) not UPnP. UDP hole punching is used by the likes of Skype, Hamachi, torrent clients (look at the NAT traversal column in the table), p2p clients, and any other service that needs to listen on a port w/o having to rely on correct forwarding of traffic on intermediate nodes.

Of course, if you want the benefits of TCP with this method, you then have to implement TCP over UDP to do this (which I know Hamachi does).

Re:Turn off UPNP

[squallbsr]

If I remember correctly, the SSID is also part of the encryption scheme, even if it is not, it is yet one more detail that somebody would have to figure out to connect to your wireless network. This keeps most of the casual script kiddies off your network. Most consumer models wouldn't help to much in keeping your network secure against somebody who is talented in the black art of network penetration.

By the way, Vista will show (or something like that, going off of memory) for WANs with SSID broadcast disabled.

I don't know everything, nor do I usually claim to...

Re:Turn off UPNP

[TheRaven64]

For some that don't, you can still configure the length of a DHCP lease. Setting this to a few years has the same effect if you don't have more computer than IPs in your private subnet.

Re:Turn off UPNP

[ricklow]

No it's _not_ trivial, really.

The mainstream D-Link and Linksys routers that Joe Public buys do not support static IPs for the DHCP servers. You get to pick a range of dynamic addresses, that's all.

So unless the OP is running something non-standard, like DD-WRT, this is probably not an option.

Re:Turn off UPNP

[yo_tuco]

"E. ??? (Change default name and password, set WPA, Turn off SSID etc....)"

Turning off SSID is pointless. It is easy to discover it for those that would want to know.

Re:Turn off UPNP

[vux984]

Configure your DHCP server (your router in this case) to always give the same IP to the machines that you run server software on. It's trivial, really.

Not trivial if your router doesn't support that feature. And I've worked with dozens of routers from SMC, Linksys, Dlink, etc that don't support it.

Re:Turn off UPNP

[Stavr0]

AC > I dont get the whole [yadda yadda yadda]

The hidden SSID and WEP encryption is meant as a polite message to white hat hackers that I'd rather they not use my AP as my bandwidth is metered by my ISP.

If you are an asshole who will hack and pwn my AP anyway then you're no better than the thief with the crowbar that smashes car windows to steal CDs and the spare change in coin boxes. If I'm lucky enough to be home as you do this, I'll grab my camera and a baseball bat to record your feats and your license plate, then use the baseball bat to smash your laptop to bits.
//Internet tough guy

Re:Turn off UPNP

[bhtooefr]

Or, even, use static IPs.

There's apps out there that assign different settings based on which network you're on, if you go between networks.

Re:Turn off UPNP

[Corporate+Troll]

I linked this already elsewhere. It doesn't mention anything about being used for encryption, so I hope you're wrong. (You're not: WPA-PSK uses it in the hash-function of passwords.) Still, the SSID is unhideable, since the first link shows it's transmitted in cleartext.

Re:Turn off UPNP

[Corporate+Troll]

Why don't you use WPA? It's 1000x better than WEP. The asshole that wants to crack it will need much more time, and as such will be discouraged even more.

Re:Turn off UPNP

[internewt]

I think a lot of BS that we see in the consumer electronics field is simply the PHBs making decisions. Maybe Linksys had what they thought were an abnormal amount of support queries relating to DHCP reservations? So they simply removed the features that complicate their DHCPd: you now get a choice of "fully auto" or "manual" and Linksys don't have to explain to users what a MAC address is, what a DHCP reservation is, what a static IP is, what an IP is... etc..

Re:Turn off UPNP

[h9]

I wonder if home defense could be used as a clause for shooting someone who is stealing your wireless.

I mean, it is something that is yours.

Re:Turn off UPNP

[Atti+K.]

I thought the recommended steps for setting up a router were:

A. Unbox
B. Throw away the disk
C. Plug in your machine, Turn on the router and navigate to the webgui
C. step2: Install OpenWRT, DD-WRT, or your favorite variant. (don't even buy a router that can't run it) Customize as you like.

D. Turn off UPNP
E. ??? (Change default name and password, set WPA, Turn off SSID etc....)
F. Profit...

The point is, I'd always been told to turn off UPNP 'cos sooner or later something is going to open ports that you don't know about.

There. Fixed that for you. ;)

Re:Turn off UPNP

[mtmra70]

Funny, I have all my ports closed/UPnP disable yet Azereus downloads [b]AND[/b] uploads without a problem. I used to open a port manually to help seeding, but I found the uploading has not been affected by leaving the ports closed.

[i]Running a WRT54G with DD-WRT[/i]

Re:Turn off UPNP

[goldspider]

I'm not sure which routers you're talking about, but my JoeSixpack D-Link router supports static DHCP. Just assign an IP to each MAC address.

Re:Turn off UPNP

"...my home machines always get different IPs from my router..."

Really? Are you you sure? And if so, have you tried to determine why? DHCP is not nearly as random as people often seem to think it is. As long as your pool of addresses is larger than your number of clients, and you don't reboot your router or otherwise clear your MAC/IP association table, your clients should keep getting the very same addresses indefinitely.

In any case, as has already been said, you could solve this by using static IPs, or in the case of laptops or other portable devices, DHCP reservations. Same IP every time, no funky protocol required.

Re:Turn off UPNP

[altinos.com]

Home defense would only work if you were in fear of your life or the life of your family. I highly doubt a WiFi thief is that dangerous to you.

Re:Turn off UPNP

[adolf]

All of us self-respecting geeks realized, years ago, that it was far cheaper, easier, and better to run OpenWRT/DD-WRT/Alchemy on a WRT54G from Wal-Mart, than to maintain yet-another-fucking-PC at home.

It's a good gig: A Linux box with 5 Ethernet ports and a WiFi radio for ~$50.

Having zero moving parts and negligible power consumption is a big help, too.

Re:Turn off UPNP

[plague3106]

My consumer level router supports RADIUS authentication.. I'd say things should be pretty secure.

Re:Turn off UPNP

[TheThiefMaster]

I was impressed that the BT router my parents got recently came with encryption on (only WEP I think, but better than off), and the wireless password is set and different for every router (it's written on the router, and is a random set of characters, probably based off the serial number). That's the most secure "by-default" router I've seen so far.

Re:Turn off UPNP

[RpiMatty]

Just make a couple of .bat files to change your ip address. (I am assuming windows because you said gaming machine).

netsh interface ip set address name="Local Area Connection" static 192.168.101.2 255.255.255.0 192.168.101.1 1

That will set your ip to 192.168.101.2 with a gateway of 192.168.101.1 - Fill in your own home network values.

Here is a 3 line .bat file to set dhcp, renew your address, and pause to show you the results.

netsh interface ip set address "Local Area Connection" dhcp
ipconfig /renew "Local Area Connection"
pause

I have about 6 different batch files in a folder in my Quick Launch toolbar on my WinXP work laptop. It takes 2 clicks for me to change my ip address. If I go to a new site where I need to create a new static ip, I just copy of one the batch files, rename it and put in the new information.

Re:Turn off UPNP

Port triggering still doesn't help with multiple computers trying to use the same services. In order for it to work, each computer must be configured to use a different set of ports. If you are going to go through the hassle of doing that, why not just go the whole way and lock down the port forwarding?

Re:Turn off UPNP

[Stavr0]

Why don't you use WPA? It's 1000x better than WEP. I have a crusty old PDA which knows nothing about WPA.

The asshole that wants to crack it will need much more time, and as such will be discouraged even more There are open default and linksys APs right next to mine. Why bother with mine?

Re:Turn off UPNP

Turning off SSID is pointless. It is easy to discover it for those that would want to know.

Not pointless, it's enough to cause 99% of attackers to go for the network who is still broadcasting their SSID. Standard WiFi clients will simply not see the network and won't bother to try to connect to it. It's a minor deterrent against casual attackers.

More determined attackers who are singling you out for an attack are a whole different risk. Nothing short of turning off the WiFi Access Points is likely to stop them (even then, they'll resort to social engineering and other tricks).

Your stance is similar to putting a 28" fence around your yard is pointless against those who want to trespass. Sure, any able-bodied person can get over it, but it still serves as notice that your yard is not public property.

Re:Turn off UPNP

[NevermindPhreak]

Agreed. I keep uPNP turned ON on all the routers i configure. I rely on security on the computer instead of on the router, since attacks can come from within the network just as easily as they can come from outside. Kerio Personal Firewall and NOD32 have yet to steer me wrong in the last several years.

uPNP is a godsend because it lets me avoid constantly messing with settings for p2p programs for me and my roommates. Port triggering was a good idea until two people wanted to use the same ports. Port forwarding was a joke because i'd have to configure every new MAC address to get a static IP from the router, configure certain ports for each new computer, and then fuck with every piece of software to change it's default port if it required inbound connections. uPNP just works, and the most i ever have to tell my roommates is "go into the program's settings and check the uPNP box."

Re:Turn off UPNP

[koreanbabykilla]

I have
eth0 ---> to cable modem
eth1 ---> to switch
eth2 is wifi

have a tap0 and eth1 brigded

here is my /etc/shorewall/policy
$FW     rflan   ACCEPT
$FW     net     ACCEPT
$FW     bridg   ACCEPT
$FW     all     DROP    info
lan     bridg   ACCEPT
lan     all     DROP info
rflan   all     DROP info
tap     all     DROP info
bridg   $FW     ACCEPT
bridg   net     ACCEPT
bridg   all     DROP info
net     all     DROP
all     all     REJECT info

and here is /etc/shorewall/rules

Ping/REJECT     net             $FW
Ping/REJECT     bridg             net
DNS/REJECT      bridg           net
DNAT          net    bridg:10.0.0.4    tcp     49205
DNAT          net    bridg:10.0.0.4    udp     49205
ACCEPT          rflan:192.168.200.3     $FW     udp     1194

then i run openvpn on port 1194 on eth2

(if you want more details like dhcpd and openvpn let me know)
I have no wep/wap on eth2 and I live close enough to a local university to pick up thier APs
and I've never had anyone even successfully get a 192.168.200.x much less hack my vpn and get a 10.0.0.x with a gateway :)

Re:Turn off UPNP

[Alioth]

That's the thing I do too. The very day uPnP came out, I remarked what a dreadful idea it was, invented by the clueless who want everything luser friendly and damn any silly ideas about security.

I wonder which company thought up the appaling idea that is uPnP.

Re:Turn off UPNP

[Mike1024]

I've never understood why anyone would choose MAC filtering or a hidden SSID instead of (or as well as) WPA encryption.

To extend your analogy, if your door has locks you know to be secure, planting a bush in front of your door will provide a negligible security benefit, so what's the point? Planting a bush instead of engaging the locks would seem an unwise decision, too.

Why use hidden SSID/MAC filtering at all?

Just my $0.02

Re:Turn off UPNP

[raju1kabir]

All of us self-respecting geeks realized, years ago, that it was far cheaper, easier, and better to run OpenWRT/DD-WRT/Alchemy on a WRT54G from Wal-Mart, than to maintain yet-another-fucking-PC at home.

Bingo.

Re:Turn off UPNP

[russ1337]

There. Fixed that for you. ;)

Yeah funny enough, your 'correction' is more accurate in my situation as I do have DD-WRT on my WRT54GL. I just figured I'd get flamed to hell if I put that in such an early post, so focused on the switching off of UPnP.- thanks though. ;-)

I was almost going to go into a huge anti Vista rant. I bought a vista laptop and the 'wizard' wanted me to plug in to the router so it could 'configure' it with non-other-than UPnP. (read: mess up all my router settings for the rest of my network).

For the life of me I couldn't get wireless working without running the wizard. I didn't care too much as I just installed Ubuntu 7.10 over it anyway - worked a treat with a huge increase in responsiveness!

Re:Turn off UPNP

[raju1kabir]

Go to the manufacturer's web site and upgrade the firmware. These days they generally do support DHCP reservations. I've got a big box'o'routers and I think the SMC Barricade is the only one of the bunch that doesn't have it.

Re:Turn off UPNP

[Lost+Engineer]

If you disable config over wireless you don't need a password at all. In that case, presumably no one can get to your router who is not plugged in, in which case (again assuming) they have physical access to your router and can do whatever they want to it. Also if you enable WPA, someone would have to crack it to reconfigure your router, in which case they've already pwnt your network. So, yes, the password can be another layer of security but it's not one you want an attacker to get to. Mostly good for keeping your roommate/wife/little sister from messing with things.

Re:Turn off UPNP

[Cramer]

Simple. Buy one of the new Linksys Draft-N routers and put it in 40MHz mode. It'll stomp all over them.

Re:Turn off UPNP

[KevReedUK]

planting a bush in your front yard that obscures a direct view of your front door

From a security perspective, I would never want one of these as, if someone were at my front door trying to pick the lock, they would be obscured from view. I find living in a neighbourhood where there is the appearance that all the neighbours are nosy is far more effective as a form of security.

Re:Turn off UPNP

[NaDrew]

There's apps out there that assign different settings based on which network you're on, if you go between networks. Got a recommendation? I move my laptop between home and work every day and would love to use static at home, DHCP at work.

Re:Turn off UPNP

[bhtooefr]

Myself, I use ThinkVantage Access Connections, but that only works on ThinkPads.

Re:Turn off UPNP

[vux984]

Your big box'o'routers is evidently mostly newer than mine.

Mine, for the most part, haven't seen firmware updates available since 2005. Some as far back as 2002. Those older revision Linksys BEFSR41's are all most people really need for a dial-up to ADSL upgrade.

Re:Turn off UPNP

[Zaiff+Urgulbunger]

FYI my Netgear DG834G supports this.

Re:Turn off UPNP

[NaDrew]

Myself, I use ThinkVantage Access Connections, but that only works on ThinkPads. Thanks for the tip, anyway.

Re:Turn off UPNP

[fm6]

Then replace the mothers. You can get a decent router for $25.

Re:Turn off UPNP

"MAC Filtering: Similarly, MAC filtering is better than not MAC filtering. The observer can't get on the network unless they spend enough time analyzing active traffic to sift for MAC info."

All they need is 1 packet from a legitimate client.

Re:Turn off UPNP

[vux984]

Then replace the mothers. You can get a decent router for $25.

1) Seriously. If having your LAN ip not ever change is really an issue, just set up your PC with a static ip outside the DHCP range. No need for most people to buy a whole new router.

2) You -can- get a decent router for $25.00 and I've done it. But usually to get something decent that's brand name and not have to wait for a clearance sale anything 'decent' usually runs 40-50 bucks.

Re:Turn off UPNP

[couchslug]

"All of us self-respecting geeks realized, years ago, that it was far cheaper,"
Maybe on the electric bill, but next to my welding gear whatever my PCs draw is trivial.
"easier,"
Setting up a m0n0wall box from free leftovers was easier than buying and flashing a Linksys, and if my ghetto router poots I can fix it free from my spare parts box. It has been running 24/7 since 2000 with no problems (and the Asus P55T2P4 mobo/Magitronic case/PSU are years older).
"and better to run OpenWRT/DD-WRT/Alchemy on a WRT54G from Wal-Mart, than to maintain yet-another-fucking-PC at home."
Maintain? I blew the dust out a couple of years ago. Passive CPU heatsink and low power draw lets me ignore it. I could probably disconnect the PSU fan, but that's too much like work.

Re:Turn off UPNP

[toddestan]

I have a router PC too, in my case it runs m0n0wall on an old PIII (way overkill). I would figure there would be a lot of people like us around here. My firewall doesn't even support UPnP, so no worries there.

Re:Turn off UPNP

[adolf]

You preach to the choir.

I have several PCs (one desktop, one old laptop, one ancient laptop) which I've tried to eliminate moving parts from.

The desktop is a machine which I occasionally use through a KVM, which only exists to operate a Soundblaster Live card using (exceptionally fine) KX Audio Driver. This turns an old (and also exceptionally fine), quadraphonic Pioneer receiver into a exquisitely-tweaked biamplification setup for the computer room's audio, while being able to convert to a rather featureful bass guitar amplifier at the push of a button.

The hard drive is gone, its old-skool K6-2 heatsink/fan combo replaced by a huge heatsink from the high-dissipation Socket A days, and its power supply fan replaced with a slow-moving thermostatically-controlled job which should last for decades. Storage is a 2-gigabyte Transcend compact flash card, which seems to contain Windowx XP just fine. (2000 would have worked just as well, but I already had an extra XP license and felt that it might as well be doing something.)

The old laptop is a rather lousy Compaq P166. It sits on my wife's desk for the sole purpose letting her use Thottbot. Again, the hard drive is a 2-gig flash card. It runs some variation of Ubuntu, with Firefox, and that's it. The CPU fan is unmodified, but in this application it's never required to spin anyway.

The ancient laptop is what was once a very high-end (~$3,700) NCR/AT&T 386SLC box with a monochrome VGA screen. There's no floppy drive, no CD drive, and (at this point) no keyboard. Its power supply is a 12VDC wall wart soldered to battery terminals. The CMOS battery died ages ago. The top cover broke into little bits long ago, and has been replaced by a heavy stainless steel and aluminum fabrication bolted to the display hinges. It survived for two days under floodwater without any apparent harm other than a heavy layer of silt over entire motherboard (which it doesn't seem to mind at all). With a 512MB flash card in place of its hard drive, it does fine hanging on the wall displaying a backlit, NTP-synchronized clock. Its only remaining moving parts are the power switch and the contrast control.

At this point, it seems important to note that there is one thing that all of these machines have in common with eachother: They're PCs. They all some combination of expansion, visual output, or human input in order for them to work in their desired capacity. Even the aforementioned Frankenstein laptop needs a PS/2 port, in order to unwedge the BIOS at bootup because of its dead battery.

But a router? It doesn't need these things -- not even the battery. It's got 5 Ethernet ports, which is plenty for my house. They all share the same 100mbps pipe to the CPU, and are only individually addressable by configuring them for VLAN, which is way more than good enough for my cable modem connection at home. It configures just swell with SSH, so it needs no local display or keyboard. And with all that connectivity, it needs no expansion (though I did hack in a 256MB SD card for no particular reason).

And there's one thing it does which your scrap-built m0n0wall box is lacking: WiFi. The WRT54G includes a rather nice dual-diversity 802.11g radio by default, with real antenna connectors and good power output (in case I ever feel like blanketing a city block with WiFi).

I mean, if I were still using a PC as a router (as I did do for the decade between 1995 and 2005), I'd still have to buy an access point/hostap-supported NIC/wireless router in order to use my laptop on the couch.

As I see it, since the WRT54G does all of this stuff for $50, the situation can be looked at in one of two ways: Either the access point was free, or the router was free. Plus, I get to use all of the parts which didn't get used building a PC-based firewall for more interesting projects or spares.

So, let's review: A WRT54G is smaller (more room for real computers), cheaper, better, has lower power consumption (a few do

Re:Turn off UPNP

[Corporate+Troll]

There are open default and linksys APs right next to mine. Why bother with mine?

Some people like a challenge ;-)

Re:Turn off UPNP

[Ilgaz]

Why would one throw away features instead of using a well supported, not stupidly coded router?

If you disable UPNP, what will you do with streaming video/audio, bittorrent etc?

I use an Apple brand Airport and if this thing was hit by the mentioned issue, I would ask Apple about status for fix and if it is a real threat, if I didn't get a meaningful answer or no answer at all, I would go to market to buy a better supported router which has frequent firmware updates covering such issues, unplug my Apple one and never buy anything related to networking from Apple at all.

Reading the comments about this story, people suggests block javascript, flash, give up default browser and at last, give up uPNP.

I agree to changing that "admin" funny thing and likely "1234" password (and disable remote admin!) but I don't agree to losing features. If the vendor doesn't care about such a major issue, what if some UDP based attack uncovered? Lets turn off UDP too?

This issue should be used as a great benchmark for the current router/wireless industry. Lets see who updates their firmware and who doesn't.

As an Apple airport basestation owner, I will be watching those D-Link etc. software updates. No kidding.

Re:Turn off UPNP

[Ilgaz]

For most of these people, uPNP is a godsend since it eliminates the need to mess around with portforwarding in the router configuration.

If uPNP is a godsend to those people... they need to get a better God. uPNP is not "evil" or anything, the implementation matters. Turning port 554 on while needed and turning off dynamically is much more secure than keeping it open 24/7 in case you will watch a 10 min streaming show one day, at random time.

uPNP works all fine under Linux, OS X, FreeBSD. There seems to be one usual suspect there causing the problem and as you know, it is "more evil than satan himself" ;)

Re:Turn off UPNP

MAC Filtering: Similarly, MAC filtering is better than not MAC filtering.

Mac filtering is a waste of time. The attacker doesn't want you to know his mac address anyway, and his tools will be spoofing yours automatically. Time the attacker is delayed by mac filtering: a few hundred CPU cycles. At 2 GHz Pentium M, that's a very tiny fraction of a second. Enabling mac filtering takes a couple of seconds, plus you might need to enter the mac addresses, plus the problems caused when you mistype or your friends come over.

Spent: 10 minutes.
Gained: .0000000001 seconds.

Net loss: rounded off to 10 minutes.

SSID is about the same, except you don't need to spoof anything. The SSID is sent out in each and every packet, and in addition, the access point will send out packets containing ONLY the SSID. Turning off SSID broadcast will remove the packets containing ONLY the SSID, but not the rest. Oh, and "broadcast"? This is radio waves we are talking about, like a hub, everything is broadcast.

Re:Turn off UPNP

[_.-+thimk!+-._]

Security through obscurity, eh?

A perfectly appropriate observation, yes. In this case, that's pretty much the case put forward for hiding the SSID. With all attendendant caveats aganst its effectiveness against anyone serious.

And, I agree the lock analogy is a bad one. That's why I suggested it's really more of a shrubbery. Or, if you prefer, perhaps a fig leaf.

Just like other uses of security through obscurity, it's not particularly effective when we're talking about anyone other than the casual pedestrian. In the case of the largely clueless passerby, though, it is, marginally at least, better than nothing at all... :)

WPA2, with rotating encryption, is much closer to the lock analogy, yes. And just like most physical locks, it mostly slows people down long enough for the nuisance factor to kick in. If it's easier to go next door, then most people will. It's really more about human nature than effective access prevention. If true security is important, then wireless probably doesn't really fit the bill.

Re:Turn off UPNP

[MrPeach]

Better to use "fixed dynamic" to always assign the same IP address to a specific mac address.
It's what I do and it makes life really simple.
Any machine that operates as a server has a fixed address assigned, the rest just float.

Problem solved. Time invested: 30 seconds.

Re:Turn off UPNP

[_.-+thimk!+-._]

I've never understood why anyone would choose MAC filtering or a hidden SSID instead of (or as well as) WPA encryption. ... Why use hidden SSID/MAC filtering at all?

In this discussion we're certainly not talking about anything in the realm of 'instead of'. I was addressing the questions that had been brought up about all of the different techniques that are commonly available on most routers, why they were implemented, and why they have more than zero value. I'm certainly not suggesting that any of those methods is individually a replacement for some combination of all of them.

Hidden SSID/MAC Filtering/halfway decent encryption all address different aspects of a broader picture. Keep in mind that there's a wide variety of folks out there, from completely clueless at one end of the spectrum, to extremely knowledgeable at the other, and that, pretty much, it's a continuum. It's not a symmetrical bell curve, as the clueless pretty heavily outnumber those at the knowledgeable end of the spectrum.

1) Hidden SSID is your bush/fig leaf. Casual passerby won't notice you to begin with. No, it doesn't address anything more significant than that. But, it does help. A little. It may keep the number of requests down a bit from folks who poke your router just on the off chance that if they can see it that they can get onto it. And save a bit in the way of cpu cycles on the router. (No, not lots, but every bit helps, even if a little.) It's a level one dweeb filter. It may not be much, but it's not quite totally useless. In terms of pure numbers, this honestly probably stops the majority of folks out there. (Most folks really are on the shallow end of the knowledge pool for wireless.) Would any of the folks who it removes from the equation likely be any threat? Doubtfully. But, there we are, nonetheless.

2) MAC Address filtering adds another layer to the security onion. (You shouldn't just expect one answer to be the fix for all issues.) MAC Filtering is more of a level 2 dweeb filter, which is effective against another (somewhat more knowledgeable) subset of folks wanting to hitch a ride on your router. No. It doesn't stop everyone, either. But, again, it does still stop some folks. There are tools that will show hidden networks that still don't really have teeth to do much more than that. This helps against the folks who've figured out that much, but not much more. Probably, it still stops more people than not.

Even if someone does have the tools to sniff traffic long enough to grab a MAC Address to spoof, they can't do it if your equipment isn't transmitting when you aren't home (say, you're using wireless for your laptop only, which you take with you, not any workstations you may have at home). When you're not home, there aren't any packets wandering around with a permitted wireless MAC, so there's nothing to sniff to identify and spoof. So, rather than being 'something that simply doesn't help', in order to beat it, folks may have to be at the right place, at the right time, with the right tools, to be able to circumvent it. Not perfect, but not nearly so useless as some folks suggest. (Of course, some folks use wireless for devices that never leave the house, and that are always on, so in that circumstance, you've always got packets to sniff, so like with all things, each network is different, and your mileage will vary.)

3) Data encryption is another (important) layer. But, don't think this is a simple, one stop solution, either. WEP (which you didn't bother to bring up, but I will), while easily compromised with the right tools will still stop folks without the right toolset. Sort of like a simple hook latch or door chain can. Yes. Other folks will stroll right through it. It's still a matter of numbers, and each additional measure will stop another portion of the remaining folks out there.

Once you start being serious about trying to keep things really secure, as you brought up, you are talking about WPA and W

Re:Turn off UPNP

[binaryspiral]

http://en.wikipedia.org/wiki/Universal_Plug_and_Play#Problems_with_UPnP

Turn of UPNP

[mdboyd]

FTA:

The only way to protect yourself is to turn off UPnP.

If you don't need UPnP, that should prevent you from being vulnerable. I'd imagine that most people don't really need it.

Open WiFi + this = trouble?

[eknagy]

This will take an old-new argument to "to free or not to free my wifi" questions.

Re:Open WiFi + this = trouble?

[slim]

This will take an old-new argument to "to free or not to free my wifi" questions. If you're talking about the recent Schneier stuff, then part of the rationale for running unauthenticated WiFi is that the hosts inside the network are hardened. Hence, assuming no mistakes in the host hardening, you could have no firewalling whatsoever on the router, and you'd still be safe.

Re:Open WiFi + this = trouble?

[wbren]

Open WiFi access points are a security nightmare regardless of exploits like this, so the same basic advice still holds: open WiFi access points should be isolated from your "trusted" network. Security vulnerabilities aside, open access points are a legal nightmare waiting to happen (child pornography, phishers, DDoS attacks, intrusion, etc.) In other words, avoid them. Regarding your specific question about this UPnP exploit and open APs, the open AP could be potentially used as a phishing goldmine, especially in high-traffic areas. Since the exploit is not limited to port forwarding (in fact almost anything could be done to the router's configuration), users could potentially be tricked into doing all sorts of things (via DNS spoofs, packet manipulation, etc.) The only difference in the case of an open AP is the scope of the damage, as more users will likely connect to an open vs. closed network. Obviously that attack really only makes sense for non-encrypted sites, since this is exactly the type of thing SSL is designed to prevent.

Re:Open WiFi + this = trouble?

[wbren]

From the article's comments:

The portforwarding rule attack was given as an example as this is probably one of the things that cannot be used right away by script kiddies and it is sufficient enough to prove a point.

The fact that ports can be forwarded to a given host is not the real point of this article. More serious would be someone resetting the admin password, allowing the attacker to do things like set the DHCP-assigned primary DNS server to a malicious one, just as an example. Given how often phishing attacks succeed, this seems like a legitimate threat. Notice that in this case the clients could be as hardened as can be, and they would still (unless a static DNS was manually entered) use the DNS server provided by the compromised router.

Re:Open WiFi + this = trouble?

[slim]

From the article's comments:

The portforwarding rule attack was given as an example as this is probably one of the things that cannot be used right away by script kiddies and it is sufficient enough to prove a point.

The fact that ports can be forwarded to a given host is not the real point of this article. More serious would be someone resetting the admin password, allowing the attacker to do things like set the DHCP-assigned primary DNS server to a malicious one, just as an example. Given how often phishing attacks succeed, this seems like a legitimate threat. Notice that in this case the clients could be as hardened as can be, and they would still (unless a static DNS was manually entered) use the DNS server provided by the compromised router. Hmm, but UPnP is special, in that it does quite serious things at the behest of unauthenticated requests, by design. Let's repeat that -- this isn't a 'bug' on the routers. UPnP is /designed/ to forward ports when it gets a request from inside the network, no questions asked.

Whereas, you do need at least a password (or a more esoteric vulnerability than UPnP; one that won't be as homogenous across various brands of router) to actually compromise the router in ways such as you describe.

Re:Open WiFi + this = trouble?

[slim]

Security vulnerabilities aside, open access points are a legal nightmare waiting to happen (child pornography, phishers, DDoS attacks, intrusion, etc.) You've either missed the recent debate, or missed its point. The argument goes:

- If someone uses your open access point for nefarious means, you have a defence -- "But anyone could have done that".
- If someone uses your 'secured' access point for nefarious means, your defence requires a jury to understand the ease with which (say) WEP can be cracked.

And the likelihood of spammers, DDoSers, phishers etc. using your WiFi connection rather than their massive botnet is negligible.

Just repeating the argument. FWIW my own access point is secured with 64 bit WEP, which I suppose is worst of both worlds. But it keeps my bandwidth available for myself, and uses a short passphrase I can remember.

Re:Open WiFi + this = trouble?

No, not insightful. This attack is a so-called "reflection" attack, because an inside host reflects an attack which originates on the outside network to the target host. It exploits that the inside network is seen as a "trusted" network. Most wireless routers bridge the wireless network and the inside network, so an attacker who uses the wireless network is already on the inside and doesn't need to use reflection at all. Similarly it would be pointless for him to use UPnP to open inbound ports, because he already has access to the inside network. Operating an open access point requires either additional network equipment, advanced router configuration or hardened computers. If you apply none of those methods, this attack doesn't make things worse. If you do use these methods, this attack doesn't work.

Re:Open WiFi + this = trouble?

[scottv67]

Just repeating the argument. FWIW my own access point is secured with 64 bit WEP, which I suppose is worst of both worlds. But it keeps my bandwidth available for myself, and uses a short passphrase I can remember.

Why aren't you using WPA-PSK or WPA2-PSK instead of WEP? Using either WPA method is far more secure than WEP (which can be cracked by using a paperclip, the foil wrapper from a stick of chewing gum, two buttons from your shirt and a 20-oz bottle of Mountain Dew).

Re:Open WiFi + this = trouble?

[wbren]

That argument is based on the ostrich strategy: keep your head in the sand and you can't possible be blamed for anything. It's just not smart to rely on that. Who knows, a judge may find that you were criminally negligent by providing an open AP that was used in some crime. There's no good reason to take that risk. Setting aside the legal responsibilities for a moment, why would you even want to take the chance of being caught up in an investigation involving your unsecured AP? That's just asking for trouble. You wouldn't leave a loaded gun lying around for anyone to use or a running car unattended for anyone to drive off with, so why would you leave an access point unprotected?

Spammers and phishers aren't what I would be concerned about. I would be more concerned with someone connecting to my network and downloading/hosting child porn, which could get me (1) in serious trouble with the law and (2) an (unjustified) label as a child porn kingpin. It's just irresponsible and foolish to leave an AP open.

Some good points for both sides were brought up here, but in the end I don't see why people wouldn't want to err on the side of caution. Also, I don't know why in the world you are using WEP when WPA is so common and easy to use. And yes, "securing" (not really) your AP with WEP is just not smart and truly is the worst of both worlds. WPA would still keep your bandwidth available while using a short passphrase. In fact, it's easier than WEP. Why aren't you using it?

Re:Open WiFi + this = trouble?

[wbren]

I'm aware that UPnP is designed to forward ports at the request of a machine inside the network, but the article made it sound like the admin password might be reset using the exploit. Perhaps it was the lack of coffee that made me read it that way. I'll read it again after a couple cups :-)

Re:Open WiFi + this = trouble?

[slim]

Just repeating the argument. FWIW my own access point is secured with 64 bit WEP, which I suppose is worst of both worlds. But it keeps my bandwidth available for myself, and uses a short passphrase I can remember.

Why aren't you using WPA-PSK or WPA2-PSK instead of WEP? Using either WPA method is far more secure than WEP (which can be cracked by using a paperclip, the foil wrapper from a stick of chewing gum, two buttons from your shirt and a 20-oz bottle of Mountain Dew). I'm not sure my AP supports it -- I'm still on 802.11b and too tight to upgrade.

Re:Open WiFi + this = trouble?

[slim]

Who knows, a judge may find that you were criminally negligent by providing an open AP that was used in some crime. There's no good reason to take that risk. Setting aside the legal responsibilities for a moment, why would you even want to take the chance of being caught up in an investigation involving your unsecured AP? That's just asking for trouble. You wouldn't leave a loaded gun lying around for anyone to use or a running car unattended for anyone to drive off with, so why would you leave an access point unprotected? An open AP is not a gun though, is it? I'm not sure it's facetious to say that I leave my rubbish bin outside on the street unsecured all the time. If someone stole it and hurled it through a shop window, I wouldn't be found criminally negligent for providing an unsecured missile.

I would be more concerned with someone connecting to my network and downloading/hosting child porn, which could get me (1) in serious trouble with the law and (2) an (unjustified) label as a child porn kingpin. It's just irresponsible and foolish to leave an AP open. But you've not countered the argument (and I continue too play devil's advocate here) that an open AP gives you plausible deniability -- except for criminal negligence suggestion, for which I'm not aware of any precedence. Is it criminally negligent to give a stranger a pen, which he then uses to send blackmail letters?

Also, I don't know why in the world you are using WEP when WPA is so common and easy to use. And yes, "securing" (not really) your AP with WEP is just not smart and truly is the worst of both worlds. WPA would still keep your bandwidth available while using a short passphrase. In fact, it's easier than WEP. Why aren't you using it? I have old hardware, I'm too stingy to replace it, and sometimes I want to take my Nintendo DS online.

Re:Open WiFi + this = trouble?

[Niten]

• If someone uses your open access point for nefarious means, you have a defence -- "But anyone could have done that".
• If someone uses your 'secured' access point for nefarious means, your defence requires a jury to understand the ease with which (say) WEP can be cracked.

And as someone who has no intention to use my network for child pornography, phishing, launching DDoS attacks, or violating copyright laws, this is entirely meaningless. The likelihood of spammers and others using my WiFi connection, should I leave it unsecured in this densely-populated and highly technical area, really is not negligible -- and in any event is infinitely greater than the probability of me engaging in such incriminating activities myself, which is identically zero.

Seriously, I get the whole plausible deniability / civil disobedience argument, but the truth is that the majority of the things one might get in trouble for on the Internet are illegal for a reason. Seriously, has it become passé to admit that you have no business trying (for example) to crack someone's web server in the first place?

These open WiFi thought experiments seem to neglect the fact that the only sure way to stay out of such trouble is to not break the law in the first place, and then to secure your wireless access point so that nobody else can do so using your Internet connection, either.

Re:Open WiFi + this = trouble?

[internewt]

...your unsecured AP? That's just asking for trouble. You wouldn't leave a loaded gun lying around for anyone to use or a running car unattended for anyone to drive off with, so why would you leave an access point unprotected?
  Oh please!

Cars and guns in the wrong hands can lead to injury or loss of life. An insecure AP can't.

And the prevalence of CP is blow up by the press to help sell papers. Stop parroting their bull shit. The chances of a CP surfer using your connection, and law enforcement noticing, are probably between slim and none.

Re:Open WiFi + this = trouble?

[jrumney]

I don't know about the admin password, but TFA seems to be saying that the DNS can be changed through UPnP, at least on some routers. That aside, I'm a bit surprised that they conclude that UPnP is the problem here, not Flash . If a remote Flash application can connect to arbitrary URLs within your local network, then the security hole is much bigger than UPnP.

DD-WRT?

Is it only the factory firmware that's vulnerable or are you safe if you flash to one of the open-source hacks?

Re:DD-WRT?

[Minwee]

That depends. Did you install UPnP, presumably because you want random ports to open up on your DD-WRT router without your consent?

If not then you're probably quite safe from UPnP based attacks.

Re:DD-WRT?

[jrumney]

If the firmware has UPnP IGD enabled, then your machine is vulnerable to this attack.

The vulnerability is really Flash not restricting what untrusted scripts can do. The router's UPnP IGD profile is working as designed - an application on a machine within the firewall requests that an incoming port be forwarded, so the router does that. This is useful for VoIP, IM, P2P and other applications that need to be contactable from the outside world. Malicious programs that are running on your machine can always initiate outgoing connections, so generally the UPnP IGD is not allowing anything that cannot already be done. In the case of Flash, it is probably blocking most outgoing connections, so UPnP does expand the possibilities for a malicious Flash app to initiate connections with your machine. But unless Flash also allows you to open server sockets, the attacker would also need to find an exploitable service running on your machine.

All this should be detectable by a decent firewall program running on your local machine.

Mozillazine forums had this two years ago

[dotancohen]

There was a thread on the Mozillazine forums about malicious JavaScript changing router settings about two years ago. Unfortunately, in October Mozillazine had a big foulup and many threads (and users, me included) were lost. I cannot find the thread now, but if I do I'll post back with a[n] URL. The thread's conclusion was that one should never leave the default password on the router.

My Home router is a Linux NAT Box.

[Zombie+Ryushu]

My home router is a Linux NAT Server. (I sorta have a pissant about the fact that those things to be called "Routers" I have a DI-704, and I couldn't get it to route between two actual subnets. It only would NAT.

Anyway, my point. What about things like the Linksys WRT54GL?

The thing is, it would be awesome if there was a flash drive driven Linux device with a Cisco Style com port that ran off flash, could be OpenLDAP Server, Samba DC, Kerberos KDC, NAT Server, or actual router WITH a Cisco style Console port that are cheap. Why does this not exist??

Re:My Home router is a Linux NAT Box.

The standard answer from the open-source community will likely be "write it yourself if you want it so bad." Whether that's a good or bad thing is entirely up to you.

Re:My Home router is a Linux NAT Box.

The WRT54g can have a serial port hacked into it for configuration. It's a fairly simple job if you have a soldering pencil around. They can also mount a SMB file system on boot so you can run whatever you want on the device. This filesystem can contain a shell script to be executed, allowing you to set up whatever you'd like to run at boot on the router.

Re:My Home router is a Linux NAT Box.

[AMuse]

If you really want to tinker around with Linux as a home NAT/Firewall device, you would love the Soekris NET4801 or NET5501 boxes.

I have one (I have no financial relationship with them other than customer) and I really love it. Very low power, 4GB flash card (up to 8 now I think), 1GB of RAM, no fans, no noise and if I want to I can put a large USB external drive (or small laptop drive inside) to do NFS/SMB/ETC.

All that and the wonder of Linux IPTables, routing, NATting, OpenVPN, OpenSSH for around $300. I replaced an old P3 box I had been using as a router and my power bill thanks me every month. :)

Also, each unit ships with a free pudding!! (Warning: Pudding may be evil.)

Re:My Home router is a Linux NAT Box.

[Karrots]

There is also the WRAP which was replaced with the ALIX board from PCEngines. I use one of those with PfSense. Works great.

Re:My Home router is a Linux NAT Box.

[Anubis350]

Dunno about the default firmware on the 54gl since the first thing I do when I get one is reflash it with dd-wrt, but since you specifically asked about the gl in dd-wrt (which many/most 54gl users are running) UPnP is disabled by default. Believe that's true in hyperwrt too.

Re:My Home router is a Linux NAT Box.

[geminidomino]

Do those have any use other than as a firewall/NAT? I just replaced my Monowall WRAP and am looking for something to do with this $300 tinybox.

Let me be the first...

[sticks_us]

...in this thread anyway, to recommend the flashblock plugin.

I installed it a couple of weeks ago, and really enjoy it. Banner ads have all but disappeared, and I don't even really notice (except for faster page loads and cleaner page layouts). If I want to see a YouTube video, that's easily accomplished--just click on the "F" icon in the blocked section of the page.

As an added bonus, I'm protected from all of these recent security breaches we've seen for Flash...aren't I?

Re:Let me be the first...

[Aladrin]

Great idea because IE runs Firefox plugins SO well.

Firefox isn't vulnerable to this in the first place, so your advice means nothing here.

Re:Let me be the first...

[sticks_us]

Firefox isn't vulnerable? Maybe I missed something. TFA says different:


This may make the attack to fail if you use Firefox, Opera or Safari and the attacked router or UPnP device is picky about CR and CRLF line endings. Earlier flash versions does not have this problem/bug.


It looks like you're safe *if* the router is or UPnP device needs to be picky about CR/CRLF line endings.

It also looks like you're safe UNLESS you're using an "earlier flash version."

Re:Let me be the first...

[TheCRAIGGERS]

Firefox is safe anyway, for the time being.

Still, NoFlash... NoScript... soon I'll have to install NoImage and NoCSS. I guess it's time to go back to Gopher.

Re:Let me be the first...

[wizardforce]

IE can run certain plugins, just not nearly as many as FF can. moral of the story? don't use IE.

Re:Let me be the first...

[maxume]

Hopefully similar functionality eventually gets built in for all 'rich media plug-ins', or even all plug-ins, with configurable play/don't play.

UPnP

[Wiseman1024]

Like all "automagic" bullshit for lusers, whatcouldpossiblygowrong

Browsers

[JackSpratts]

as usual opera is resistant.

Re:Browsers

[aerthling]

I only skimmed the article, but I'm pretty sure it said the attack failed in Firefox, Opera, etc. because of a flaw in the Flash plugin, not because those browsers are more secure.

Re:Browsers

Probably because it's not popular enough to be specifically targeted.

As usual.

Truth hurts doesn't it? Incidentally, since Firefox actually has extension support and a wide community following creating great utilities, I wasn't vulnerable to this problem even with Flash enabled. As usual.

Re:Browsers

[chris411]

Oh, you people and your silly little kiddie browsers. Opera is an internet suite. It doesn't need a million plugins to do something, it can already do it, and in all likelihood it's been doing it long before Firefox's creators copied it. It's so very hurtful to use something superior.

Re:Browsers

[jrumney]

No, it didn't say that the attack failed in those browsers, it said it might fail if the router's HTTP server was strict about line endings and a particular version of the Flash plugin was used.

Re:Browsers

Awww, how cute! Insecure, suffering from an inferiority complex, and thinking we give a crap!

I use Opera.

[Apoorv]

Opera users are safe too.

Open open...

[ElGanzoLoco]

[...] a flash swf file capable of opening open ports into your network [...]

Hold on, now I'm confused: does this attack open open ports, or does it open ports open? Or even worse, does it open open open ports? :D

Re:Open open...

[wbren]

It opens ports on your router that are open on your computer. The ports are clearly already open, but they need to be opened again by the router. For example, my local Wal-Mart* is open in that is isn't "out of business", but it must be opened every morning (and "closed" into its original open state every night) anyway, so people can walk in and buy stuff. So in that regard, my local Wal-Mart* was opened twice, just like opening open ports. It's all very complicated, having to do with the lowest levels of TCP/IP, kernel code, and lasers. Yes, lasers.

Or maybe it was just a typo :-)

*Excludes 24-hour locations.

Re:Open open...

[Tony+Hoyle]

I presume it means that it allows open ports (on the lan) to be seen by everyone (on the wan).

In some upnp implementations it's been shown that you can even do it the other way around - do things like forward port 80 outgoing to $hackers_proxy.

upnp is kinda useless anyway.. nothing that can't be done more safely and more controlled by static DHCP and standard port forwarding (or, better, getting multiple IP addresses from your ISP).

Don't try this at home

[spleen_blender]

I've always wondered about using StumbleUpon as a distribution method. I wonder if it is possible in such an exploit somehow force your profile to Thumbs Up the infected page, making it spread at a maximum exponential rate, since the rating system would only have to be vulnerable on the client side, I imagine.

My larger point though is that in a web where the actual URL of content is becoming more and more meaningless as meta sites start to coagulate content around them, what do users on the client side have to be able to combat such tactics? Is it reasonable to expect some sort of server side content awareness for such content sharing sites. A pruning mechanism of sorts seems like a necessity if you wouldn't want to contribute to the threat.

What about the Wii browser

[techpawn]

It's Opera browser that Runs an OLD version of flash on a Wireless network. I mean, do we need to worry about this when we go to the wrong site from our Nintendo? I hear they update it from the connect24 but not that often...

Turn off UPnP!

[ledow]

Turn off UPnP! Why on Earth do you want it on anyway? That's the problem here - an XSS is one matter, although being able to send SOAP-style requests across your local network is a major concern. But having a router that automatically opens ports based on virtually zero authentication? A nightmare waiting to happen.

Never used it. Never wanted it. Never turned it on. Always turned it off on EVERYTHING. UPnP is the problem here - a simple (unauthenticated) HTTP-style page requested in a browser suddenly starts opening ports to your network. It should not happen. Even my DSL router/wireless router/Linux router has SSL only, passworded access to do anything even approaching opening ports. And if a webpage pops up with an authentication dialog with the header "Wireless Router" and you type in your password, then you're a fool, unless you specifically requested the router's configuration page.

There's rarely even a log of what UPnP has done - which ports it's opened in the past etc. for whom.

Just turn the damn thing off. It's too dangerous.

Re:Turn off UPnP!

[slim]

The thing is, it's just so damn useful. For a TCP/IP savvy person, setting up, say, a Bittorrent client, or Xbox Live online play without UPnP is a chore. For normal people, it's voodoo. With UPnP (and the right client) it Just Works. Convenient or secure... guess what most people will choose?

But, agreed, it's scary stuff, if you believe your router ought to be a firewall. What's really needed is for home routers to start implementing authenticated UPnP, and for clients to work with it. (I must admit I've only glanced at the UPnP specs, but I seem to recall seeing references to an authenticated flavour).

Re:Turn off UPnP!

[wwahammy]

I know Microsoft is implementing a new standard to supercede UPnP in part due to the lack of security. Whether this new standard acheives that though is another issue entirely.

Re:Turn off UPnP!

[wwahammy]

It's not as secure as needed, that is without doubt. But I get tired of trying to figure out the port forwarding needed for various programs. Sometimes you want it to just work and UPnP when implemented accomplishes that goal.

An argument could be made that UPnP is more secure in that it only opens ports while a program uses them (provided the program is coded right), not all the time as most people would have done had they needed to open the ports manually. That doesn't negate the vulnerabilities in the system but its a different way of looking at it.

Re:Turn off UPnP!

[Tony+Hoyle]

xbox live works fine without any port forwarding at all.

Any half decent bittorrent client works of a single port and can be setup in minutes.

What is this 'chore' you're on about. I known virtual newbies do it without prompting.

Re:Turn off UPnP!

[slim]

xbox live works fine without any port forwarding at all. I Googled, and you're right. However XBL uses UPnP if it's there, and I suspect that for most games, at least one Xbox needs to be able to accept() connections from the rest -- whether that's using port forwarding, a direct connection to the net, or whatever. So yeah, a given Xbox can run without any port forwarding, but if everyone did it, it would break (like in the old days when MSN Messenger file transfer worked if one side was NATed, but not if both were).

Any half decent bittorrent client works of a single port and can be setup in minutes.

What is this 'chore' you're on about. I known virtual newbies do it without prompting. 'Minutes' is more than zero effort, and I suspect your 'virtual newbies' are a lot smarter than you're letting on. If UPnP is available, you can be up and running with Azureus without even knowing what an IP address is. Without UPnP, you need to understand the concept of an IP address, NAT, ports and port forwarding. Then you need to find out what particular port your application needs, then you have to work out your particular router's admin interface. My mum can't even work iTunes; you expect her to do this?

On the whole, people love not having to think. UPnP lets them do that. Turning off UPnP makes them have to think twice -- once about the security risks they're avoiding, once again about how to manually achieve the stuff UPnP was doing for them automatically.

Re:Turn off UPnP!

[GrievousMistake]

Additionally, it's nice to let hosts on the network setup their own port forwarding without having root access to the router, for example when you rent out a house with several apartments that share the same internet connection.
My old router used to have an option to only let hosts modify UPNP bindings to their own IP, which is good enough security for me.

What I don't get about this exploit is, if you already have a flash application running on a victim's machine that can make arbitrary outgoing connections, couldn't you just as easily proxy your connections through the flash application? So it's not like you gain access to anything that you didn't have access to already.

Re:Turn off UPnP!

[mtmra70]

What are you talking about? I have never opened a port or enabled UPnP for XBox Live, and I have had it since the day it came out. Heck, my work VPN, personall VPN, bit client and many other things work without opening any ports manually.

Re:Turn off UPnP!

For a TCP/IP savvy person...

Static IPs?

Re:Turn off UPnP!

[ledow]

"If UPnP is available, you can be up and running with Azureus without even knowing what an IP address is."

Correct. Although if it's not, you can still be. It'll be a tiny bit slower and you'll have a few less peers but overall you're not going to even notice if you don't know what an IP address is.

"Without UPnP, you need to understand the concept of an IP address, NAT, ports and port forwarding."

No you don't. It'll "just work". The same way that Steam or XBox Live can "just work" without any of the above. People design stuff for NAT now and there's very, very little (apart from extreme-legacy protocols) that can't NAT properly. But if you want optimum performance and to get as many peers as you can etc. then, yeah, you can use the above techniques to help you do that. Most people don't and won't.

"My mum can't even work iTunes; you expect her to do this?"

Nope. She has no need to. Even if she uses BitTorrent, Steam and XBox Live. That's our point.

"Turning off UPnP makes them have to think twice -- once about the security risks they're avoiding, once again about how to manually achieve the stuff UPnP was doing for them automatically."

Have you got our point yet? It doesn't do anything automatically that can't be achieved through "correct" programming and even MS products manage to work absolutely fine without UPnP - they just work around NAT like everything else.

The problem is that people see UPnP, see what it does and think "I need that" and switch it on. Or when product manufacturers turn such things on at the factory. That's when the security problems start. That's when joe-average gets whacked by exploits like this even though, if UPnP had been disabled from the start, he wouldn't have succumbed to this particular attack and, almost certainly, wouldn't have noticed any difference in any of his applications.

NAT is a well-defined standard. There's not much that absolutely cannot be done through NAT, and most of that is protocol stupidity like embedding IP addresses inside data packets (a breach of the TCP standards, I might add) which can be countered (FTP passive connections, connection tracking etc.). The only other thing is that there are no "open ports" so you can't query a client unsolicited. That's GOOD. That means that they have to WANT to talk to you in order to be able to connect. Things like XBox Live and Steam handle this for you by acting as a go-between for the initial part of the conversation. That's how it works. It's GOOD that it works that way. It stops an awful lot of problems with port-forwarding of arbitrary ranges to something like an XBox that isn't going to be the most up-to-date or secure device.

Re:Turn off UPnP!

[Ilgaz]

I keep it on because:
1) I can't be bugged with port configurations just to download a single linux ISO image via azureus and turning off when not needed
2) I use a Apple Airport Basestation which doesn't use uPNP, it uses NAT-PMP which is all documented
3) I use OS X only

You are hitting wrong target. It is NOT uPNP (once more, again!) , it is its stupid implementation by MSFT and their Taiwan buddies. If Adobe doesn't release a Flash plugin update covering this issue in a WEEK, they are to blame too.

Millions of devices, operating systems, software are using uPNP happily otherwise.

comment filtering

[howlingmadhowie]

i know it would be a dangerous precedent, but could it be possible to block all comments which contain the word 'nigger'? it's really been getting out of hand in the last few weeks and is costing a lot of mod points.

Re:comment filtering

Instead of dropping the entire comment, why not substitute some other word or phrase. It could become something non-sensical (like making it "boobies" or "smurf") or switched around (like making it "skin-head" or "biggot"). It could make a hateful comment into a funny comment.

Re:comment filtering

[Jesus_666]

Oh exploitable! Of course replacing words makes everything better, even if there's drama involved. And nobody will ever know what was originally posted and it will certainly not evolve into a special kind of slang.

Re:comment filtering

As much as I would be for this particular filter, Slashdot is what it is because they don't censor or ban people. I think this is a good thing and I wish more sites on the Internet worked like that.

I am personally sick of all the "public" web communities that get into their little hole and if anyone disagrees with them on even the slightest issue (even suggestions to improve their site) they get blasted away. This hurts the 'Net in my opinion.

Your point ?

[DrSkwid]

Your point seems to be a question.

Anyhoo, there's nothing uber special about Flash, you can just put a CF/SD card in an IDE/SATA adapter and attach it to a suitable computer, such as one of the fanless EPIAs, that one even has dual gige.

Them forums produce genii

[DrSkwid]

> The thread's conclusion was that one should never leave the default password on the router.

well, duh! Surely you didn't need the backup losers of Mozillazine to work that out!?

Re:Them forums produce genii

>backup losers

OK, I'll bite - WTF is a "backup loser"?

Re:Them forums produce genii

[DrSkwid]

someone who loses their backups

Re:Them forums produce genii

[ketilwaa]

I'll take a guess: "the losers who didn't back up the forums"?

Re:Them forums produce genii

It's a spare loser you keep around for emergencies in case something happens to your main loser.

Re:Them forums produce genii

[dotancohen]

It's a spare loser you keep around for emergencies in case something happens to your main loser. It's NetBSD?

How about checking your router configuration

[Aging_Newbie]

My cheapie Belkin access point has an option to turn off UPNP in the configuration. In fact, it is the default. That should kill that exploit rather quickly, shouldn't it?

Opening port does not mean that it is exploitable

[JaLooNz]

Anyone realised that it can only open ports? (Especially since uPnP appears to be only a HTTP based request system, doing it should not be too difficult) But whether it can be made useful is questionable. You need a open client running on that specific port (which most likely cannot be done in any browsers) to be any where near exploitable).

I recently bought a Sitecom router

[MadJo]

and was pleasantly surprised to see UPnP disabled out of the box.
Are router manufacturers finally learning?

My Xbox360 requires uPnP to be off

[gelfling]

Only way it works. I can't for the life of me understand what I would need it for anyway.

Because it breaks everything

Why on Earth do you want it on anyway?

Because very few people are using IPv6 and IPv4+NAT breaks a lot of protocols that depend on the computer being available to the outside world. No, static port forwarding doesn't solve the issue as it's pain to setup/maintain if you have multiple computers.

WHERE $money; PUT $mouth

[ronadams]

I dont get the whole turn off ssid and mac filtering, change default password crap. more often than not kismet works out the ssid if hidden, mac can be spoofed using macchanger, and i usually guess peoples passwords or look it up on list of manufacturer default list. the alternative is to completely crash a router as it just resets with factory defaults and you can completely take over the router.

I live in Cincinnati, Ohio. You come (wirelessly) break into my router, change the current settings by opening port 1337, and I'll refund the cost of your travel (as determined by hotwire or expedia's fare rates on the day of your travel), and pay you $100 additional, all in cash on the same day.

It's a SOHO router, but I won't tell you what make/model -- if your prowess is as you claim, you should have no trouble determining that. You may not enter the apartment or inspect any systems currently connected -- but you shouldn't need to. I have no other firewalls, proxy servers, or tricks on the front end of this router -- it's straight from modem to unit. You may have 48 consecutive hours to complete the task.

Still confident? Email me at radams theatsign tohuw.net and make arrangements.

Re:WHERE $money; PUT $mouth

[bignetbuy]

Challenging an anon coward...

Yeah, that'll work.

Re:WHERE $money; PUT $mouth

[rk]

Either a) the guy can't put up in which case he won't take your offer or b) the guy has enough skills to do what he says that $100 profit for day out of his life isn't an offer, it's an insult and he won't take your offer. I don't suppose an offer for a getaway to that paradise that is Cincinnati in January (30F and snowing currently) is especially compelling, either.

On the other hand, a four-way and a couple cheese coneys at Skyline sounds pretty tasty right now. :-)

Re:WHERE $money; PUT $mouth

Here's the problem. Home routers normally support only WEP and WPA-PSK. WEP is a joke. I have software on my laptop that performs a linear keyspace attack against WEP - that is to say that a 128 bit key (really 104 bits...) only takes twice as long to break as a 64 bit key.It's called a fragmentation attack. WEP is not only dead, it's stinking up the place and needs to be hauled away for public health reasons. This leaves you with WPA-PSK. There's a well understood method for breaking that as well - you use a broadcast deauthenticate attack to kick the workstations off the network, and force them to reauthenticate - than you snag the authentication challenges, and attack them with using a rainbow table. One rainbow table used for this is about 40BG, but that's still reasonable given the cost of external USB hard drives...

Changing the settings is a bit more difficult - but I wouldn't class it as impossible by any stretch of the imagination.

Re:WHERE $money; PUT $mouth

In other words: Come to Cincinnati and penetrate me

Re:WHERE $money; PUT $mouth

[ronadams]

Consider that added. And another hundred fifty additional if he can show me step by step the processes he performed, and make a useful (albeit uninsured) recommendation to protect against that method.

Re:WHERE $money; PUT $mouth

[ronadams]

I'm aware of both of those issues. My offer still stands.

Re:WHERE $money; PUT $mouth

[raju1kabir]

I live in Malaysia but I'm willing to accept the challenge. Can I fly business class?

Re:WHERE $money; PUT $mouth

[skegg]

"You are a stranger."

Cryptic (sic) movie quote.

Re:WHERE $money; PUT $mouth

Very clever proposal, assuming you haven't already turned OFF the wireless functionality and have been using wired connections.

BTW its not:
WHERE $money; PUT $mouth

Cause normally one doesn't put mouth where money is.

Re:WHERE $money; PUT $mouth

[ronadams]

No, but I'll still extend the offer to you.

Re:WHERE $money; PUT $mouth

[ronadams]

I put my mouth in my wallet, you insensitive clod! And no, the wireless is not off. I use it regularly.

Questions about Wireless Router Security

[NetSettler]

The vulnerability is really Flash not restricting what untrusted scripts can do. [...] UPnP does expand the possibilities for a malicious Flash app to initiate connections with your machine. But unless Flash also allows you to open server sockets, the attacker would also need to find an exploitable service running on your machine.

Excuse my ignorance/confusion, but... I'm not up on the details of either Flash or UPnP, and yet I still need to understand this better and so I have a few questions.

1. Is the Flash being discussed the Flash player for a browser, right? (Not some sort of Flash related to flash memory and the BIOS and/or USB Flash drives? And the Flash issue is not in the router?)

2. Why is there a difference between the Flash vulnerability in different browsers? What's the basis of the protection? Is it because the player binaries differ between browsers, or because the security model of the browsers differ, or what?

3. If a Flash player is running malware already, why does it care any longer about the router? Isn't it already in my machine, and hence inside my network? And can't it generally get out quite easily with whatever data it finds without further problem? Or is there some security model limiting the actions of the Flash player to only certain operations?

   Is it forbidden from writing files, particularly executable files? I assume a virus utility would notice this, but maybe since it's a trusted plug-in, it wouldn't?

4. If it can access web pages, isn't there also a potential vulnerability that many routers are configurable from inside the firewall over the network? In that case, couldn't it reenable UPnP itself? (Even if it was forbidden to read files from the disk and access the net, couldn't it just do the web page modification and then wait for a later copy of itself to arrive on a separate occasion to exploit the previously and silently opened hole?) If that can happen at all, will having a decent password for one's firewall reduce this risk? (Even though I have WPA-PSK enabled and a pretty long password, internal connections to a router over a secure connection seem like they're going to succeed because of the PSK, leaving the router's admin password the only thing in the way... or is there some other fortunate barrier?) Do routers tend to protect themselves from internal exhaustive or dictionary attacks? Would a virus protection tool notice this, or would it just think it normal that a browser was opening lots of web pages? In other words, do I need to switch my router to be configurable only over a serial link? (Even if I did, would I be vulnerable while the serial line was connected?)

If there's just a FAQ with answers to questions like these, please point me to it. I read the article, but it was pretty thick with device and protocol and program-specific jargon that even a technical person might not understand, depending on their areas of expertise.

Re:Questions about Wireless Router Security

[Tony+Hoyle]

If a flash plugin can make outgoing XML requests it can persuade a upnp server to make your machine wide open, thus completely disabling your firewall. Making those kind of requests sounds like the kind of thing you want Flash to do, so I'd imagine all versions are vulnerable.

There are some ports.. 137,139,445,etc. that you really don't want on the open internet. If the plugin does something like a port forward of 0-65535 to your machine suddenly *every* service on there is wide open to any attack. It'll bypass protections from eg. the default XP firewall as the packets will appear to be coming from the local LAN (the router) rather than the original source.

It's not just flash (although a malicious advert on a page is the most obvious vector for this). Anything that runs on your machine can do it.. I reckon you could craft such an attack in javascript even (XMLHttpRequest with the right code).

Once the ports are open anything that manages to run on your machine can leave itself wide open without having to make telltale outgoing port connections (although it's often said that outgoing connections are the reason upnp is 'not worse' than existing protections, no working trojan would work in that manner, since the target of the outgoing connection would quickly be found and shut down.. OTOH leaving a trojan on your machine listening on your machine waiting for the command to send spam/infect others/distribute child porn/whatever is much more real a thread).

Re:Questions about Wireless Router Security

[jrumney]

1. Its the Macromedia Flash player that's being talked about here, as the rest of your questions assume. 2. I don't know enough about Flash to answer this. Perhaps it relies on the browser for its network support, which would make the network capabilities differ depending on the browser. 3. I'm more familiar with Java and Javascript, but I presume that Flash uses a similar sandbox, restricting what Flash applications can do. For instance, Java applets downloaded from example.com can only make network connections back to example.com, and cannot read or write local files etc. 4. If it is anything like the Java applet sandbox, then it shouldn't be able to access general webpages, only the page it was loaded from. WPA and the administration password for your router have nothing to do with UPnP IGD. If you are running XP, you can tell if your router has UPnP IGD enabled by opening the Network Connections control panel, and seeing if your router shows up as an Internet Gateway device.

Re:Questions about Wireless Router Security

[scottv67]

There are some ports.. 137,139,445,etc. that you really don't want on the open internet. If the plugin does something like a port forward of 0-65535 to your machine suddenly *every* service on there is wide open to any attack. It'll bypass protections from eg. the default XP firewall as the packets will appear to be coming from the local LAN (the router) rather than the original source.

Do you have any idea what you are talking about? If not, it would be best for you to sit quietly and let the grown-ups talk.

Re:Questions about Wireless Router Security

[NetSettler]

3. I'm more familiar with Java and Javascript, but I presume that Flash uses a similar sandbox, restricting what Flash applications can do. For instance, Java applets downloaded from example.com can only make network connections back to example.com, and cannot read or write local files etc. 4. If it is anything like the Java applet sandbox, then it shouldn't be able to access general webpages, only the page it was loaded from. WPA and the administration password for your router have nothing to do with UPnP IGD.

Ah, ok. If it could access arbitrary pages, I was worried that it could access the admin component of my wireless router. (From the outside, WPA protects me from people accessing that admin stuff, but from the inside, it does not... only a more vanilla passwording protects me inside.) But if it's something like a limited access to the net, and if that limitation is not vulernable (nothing ever seems as safe as one expects), then it sounds like I'm fine.

I certainly do not have UPnP enabled now. My Belkin router fortunately comes with it off though offers the following remark in the online help, which given this recent news story I now see has a double-edged interpretation: “An application that is UPnP compliant has the ability to communicate with the Router, basically "telling" the Router which way it needs the firewall configured.”

I had just worried that some worm could find my gateway and enable it so that its friends could come in... but I read what you're saying as saying that if it got as far as being able to do that, it wouldn't need such an entry point anyway, it would already be inside and set up for business.

One follow-up question on this matter of only having access to the web site the item came from. A long time ago, I looked at security models in an informal way, but I am not an expert in this, so don't take my remarks about what I thought as any kind of authority--just as framing the question: I had thought that there was a subtle distinction between an applet on a page and a downloaded plug-in, and that it hinged on the question of whether the code was trusted. If Flash is a plug-in, not an applet, and is therefore trusted, and Flash is the thing that is doing the network connecting, then is Flash the thing that is holding my security in its hands, or does it have some way of making sure that the program it runs is subject to a more restrictive security model, such as I'm imagining applets to have? If I've asked the question in a way that makes it hard to answer because I've presupposed some division that's not there, feel free to repair the question before answering it.

Perhaps I should go read a recent reference on network security. But, sadly, there will be many with questions like these who don't have the time or training to do that, so hopefully the question lends itself to at least some sort of minimal high-level summary that doesn't require that.

Re:Questions about Wireless Router Security

[carnalforge]

Thing is, why would you leave ports open in your laptop even if only accessible from the "inside lan"? And damnit, why from the router even if you need filesharing from different computers?

Re:Questions about Wireless Router Security

[jrumney]

I had just worried that some worm could find my gateway and enable it so that its friends could come in... but I read what you're saying as saying that if it got as far as being able to do that, it wouldn't need such an entry point anyway, it would already be inside and set up for business.

Except for this Flash bug, where the worm, written in Flash ActionScript, does not normally have access to do anything dangerous, but it apparently can open ports on your gateway. I still can't get to TFA to read the details, but I imagine that a feature intended for opening ports so that more efficient UDP based protocols can be used for streaming media has been implemented insecurely. The secure way to implement it would be to only open UDP ports that the Flash client was listening on, but for this to be exploitable it must be allowing arbitrary ports to be opened.

If Flash is a plug-in, not an applet, and is therefore trusted, and Flash is the thing that is doing the network connecting, then is Flash the thing that is holding my security in its hands, or does it have some way of making sure that the program it runs is subject to a more restrictive security model, such as I'm imagining applets to have?

Flash is responsible for enforcing security of Flash applications, the same way that the Java plugin is responsible for enforcing security of applets, and the browser is responsible for enforcing security of Javascript.

Transmission client

For those of us with a large network, it's easier to keep it on when someone wants to use Transmission client on Linux randomly for bittorrent.

FIXED IP address

[baomike]

now there is a heretical thought.

Re:Opening port does not mean that it is exploitab

[Tony+Hoyle]

$trojan opens port. Talks to upnp server. Your machine gets pwned.

script/flash/exe/whatever opens port 445. Your network gets pwned.

Because there's no authentication upnp shouldn't be allowed anywhere near a network. At the very least a verified password should be needed to activate the port forwarding each time.

Really, developers shouldn't write shitty protocols that require it. Luckily it's becoming rarer.. few games need it (if any, these days.. certainly nothing recent), even bittorrent clients are getting better (the early ones needed something like 10 ports.. newer ones need 1). There's absolutely no need for a non-server to be requiring open incoming ports - on a client they should all be outgoing and handled naturally by the NAT logic.

Re:If there's one thing I hate more than an 0wned

[theskipper]

Way OT:

There seems to be a lot more racist AC posts lately. Wondering if the ulterior motive is to suck up mod points and basically dilute the moderation system?

Also, isn't this one word, along with a regexp of it, that should trigger a longer than usual time-out before AC submission? It would avoid censorship since the post would still submit, just severely speedbumped. It's used so infrequently that if someone decides to use it in a "valid" post, the delay would be a minor inconvenience. For trolls creating throwaway accounts, the IP/username association slows them down anyway.

Of course the slippery slope is doing the same for myminicity, goatse links...

Local firewall and other factors

[Joe+U]

Ok, for this to succeed the site would have to know your router's internal IP address. 192.168.1.1 is very common in early routers, but this has changed recently.

Now, to actually get to the computer, it would also have to bypass your software firewall as well.

Of course, all this does is open ports, it doesn't actually attack or exploit anything.

This is a potential exploit, but not a working one yet.

Re:Local firewall and other factors

It's very easy to find your router's IP in most cases... why? Because in most cases the router is also the DHCP server. It wouldn't be that far of a leap to detect a DHCP server and assume that it is the router.

Re:Local firewall and other factors

[Joe+U]

It wouldn't be that far of a leap to detect a DHCP server and assume that it is the router. Using Adobe Flash? It's not that powerful. (yet).

Re:Local firewall and other factors

[Zaiff+Urgulbunger]

Now, to actually get to the computer, it would also have to bypass your software firewall as well.
The flash code runs in your browser. Your software firewall *might* prevent the flash-app from connecting to the uPNP SOAP port.... but then again, it might not since people will allow access for Flash.

Of course, all this does is open ports, it doesn't actually attack or exploit anything.
If it opened up your Windows file shares that would probably not be a good thing; even if you have no shares, Windows *used* to enable a hidden C$ share.... I'm guessing it doesn't these days, but even so, some users running older/unpatched software will still be vulnerable.

But in addition to just opening some ports, some routers also provide access to user/password info via these uPNP SOAP requests, and even allow changing DNS servers! So for example, any time you try to access your-bank.com, you might actually be visiting evil-bank.com; the latter being a proxy for your-bank.com so it looks identical, but it collects your bank login details. And it would be *very* difficult to see where the problem was. Your computer could be 100% patched up and clean, but still you're leaking data!

This truly is a *huge* problem!! The only thing I don't know is how many routers allow changing the DNS servers. Certainly, the Speedtouch/BT Home Hub routers did have this problem, but is this a common problem? If it is.... then things is bad! ;)

Wrong headline

[theobroma]

Shouldn't this read "IE has yet another vulnerability!" "Looks like Firefox & Safari users are safe for now." seems a bit underplayed to me. I say this only because if I were to use IE I would want to know.

Firefox and Safari immune?

[decavolt]

Looks like Firefox & Safari users are safe for now.

MSIE only? Gee, I'm shocked. Utterly amazed.

I understand and agree that UPnP should be off anyway, but (as was noted in an earlier reply) this isn't any different than surfing to any other IE-exploiting page and the same precautions apply. For starters, using something other than IE.

Re:Firefox and Safari immune?

[figleaf]

Slashdot summary is wrong. Check the author's comments below the article.

This is a flash exploit so no browser is immune.

Re:Firefox and Safari immune?

[Ilgaz]

Slashdot summary is wrong. Check the author's comments below the article.

This is a flash exploit so no browser is immune. I would say in other way, if some miracle happens and Adobe acts quick to issue a Flash update/hotfix for it, ALL browsers will be immune.

Off by default on my Netgear routers

[DieByWire]

I have a couple of Netgear routers and both shipped with UPnP off by default.

UPnP can be enabled or disabled for automatic device configuration. The default setting for UPnP is disabled. If disabled, the router will not allow any device to automatically control the resources, such as port forwarding (mapping), of the router.

Here is more info

[stevenp]

The offender is called NAT Traversal

"UPnP comes with a solution for NAT (Network Address Translation) traversal, called the Internet Gateway Device (IGD) protocol. NAT traversal for UPnP enables UPnP packages to pass through a router or firewall without problems and without user interaction, (that is if that router or firewall supports NAT). It essentially allows any local UPnP device to punch arbitrary holes in the firewall, by letting the firewalled router create port forwardings automatically."

Re:If there's one thing I hate more than an 0wned

[DrSkwid]

it comes & goes, all it takes is a perl bot and some boredom, perhaps this guy got laid off from his job / finished his degree and discovered that he could spend his time doing nigger posts to /.

it's not me btw :)

Re:Turn off UPNP MOD PARENT UP

[scottv67]

Well said, -thimk!-. I have no mod points today so I will give you kudos instead. Very informative post.

Re: You *really* need to qualify that

[colinnwn]

"Security vulnerabilities aside, open access points are a legal nightmare waiting to happen " Don't assume this is true, it may be the opposite of true, depending on your jurisdiction. Some places, like Germany I believe, can hold you responsible for actions that occur on your network if not "properly secured." However, there have been several US lawyers and networking experts who have argued that if you secure your network to the best of your ability and it is infiltrated, you may be responsible in that you knew security was needed and failed in your implementation. It may also implicate yourself in any illegal activities if there is no way to identify the infiltration, as is the case in the poor and ethereal logging of almost all consumer grade wireless routers. An open router may provide more protection in most of the US than a secured router, as it gives you cover of plausible deniability (an useful tool for the innocent, as well as the guilty).

Update?

[sexconker]

Couldn't flash be updated to solve this?

You're not going to get people to turn off UPnP...

Google?

What about google "polite flash ads"?

1) They are polite
2) They are interesting for you
3) People need cash to blog. Google "polite flash ads" do that
4) Thanks to google polite flash ads, you can have bloggers who do everything to catch your attention. Without google polite flash ads, there wouldn't be any content on the internet, like 1993!
5) It excuses google's extreme profits which seemed to come from nowhere and this way google search can keep being free.
6) Google is something like open source.
7) Google needs money to fund mozilla corporation.

Don't be a thief.
  Think about it and view google ads honestly.

Bruce Schneider

[obduk]

One of the top professionals in the security industry, Bruce Schneider, runs and open wi-fi network. As he puts it, you computer should be secured weather on your network, or on a public network. I also have a open network, no-one abuses it and I'm quite happy for someone to come along and use it for free, as long as they don't download torrents or something. So I do have UPnP disabled as it will probably stop a novice downloading torrents. However, I keep my computer secured, and would be happy on an insecure network, or if someone forwarded a port on my router.

Proprietary software is still insecure by default.

[jbn-o]

Opera is proprietary software, therefore it is untrustworthy by default. The only people who can inspect, modify, and distribute improved versions are the very people you can't trust to work on your behalf—the proprietors. There's nothing they can say to make up for this lack of security because you can't verify their improvements (the source code is not only unavailable to you, the proprietor disallows decompiling the binary and seeing what it's doing, or making changes to suit your needs). To be sure Opera isn't problematic you need Opera to respect your software freedom.

the problem is in the brain

[wikinerd]

Most home users are vulnerable to social engineering attacks. Until this vulnerability is fixed somehow, it doesn't really matter much whether they run secure routers or not. All crackers need to do is to pick up a phone and ask for the password. The most secure router in the world isn't going to protect users from their own stupidity, so perhaps we should educate users to be security-conscious rather than just download the latest patches without understanding what security is.

you guys are all missing the point

big whoop if upnp has a problem. what about the case when no router exists at all? it seems like routers have been a big fat excuse to leave a bunch of insecure services running. we may as well tighten security on those services; i.e. nobody should be able to do ssdp unless they are on the same subnet, at least. maybe upnp is insecure, but it should (in theory) not be a big deal if someone can get access to your file sharing service from an external ip.

Function Risk - Facts Missed - Not Only IE....

[TheNetAvenger]

This concept affects ALL browsers, don't let the Firefox,Safari,Opera groupies leave you with a false set of security. It is also OS agnostic using the methods listed in the article or other undocumented browser callback script techniques.

The example given is using Flash, this is a problem with Flash operating at a level it should not allow plugins to do so.

Additionally, there are methods outside of Flash that can utilize this as an exploit, and the other methods work in EVERY browser except IE7 running on Vista, as Vista's protected mode blocks the exploit ironically making it the most secure browsing option.

There are valid and secure ways of using UPnP. UPnP is more than just opening ports on a router and serves greater functionality on networks.

UPnP and router security should probably be revisited, but throwing away the functionality because of this risk would be disasterous.

ALL browers need to re-look at exploitable script callbacks that could be used to touch UPnP. There are exploits in all browsers, that are NOT documented in this article. Additionally, Adobe needs to get a freaking handle on the crap involved with Flash and security.

Flash has always had lots of vulnerbilities and risks. To the point that Microsoft diabled user created Flash use of Winks in Messenger because of Flash vulnerbilities. Flash's inherent insecurity is also another reason Micorosft has moved forward with Silverlight.

DD-WRT at risk?

[guzi]

Does this exploit depend also on a weird UPnP implementation from the router's manufacturer part? Would someone running DD-WRT on his home router be at risk?

G.

Re:DD-WRT at risk?

[peektwice]

I don't know if DD-WRT is vulnerable, but in my router running

DD-WRT v24 RC-4 (10/10/07) std

, UPnP is turned off by default.

Re:DD-WRT at risk?

[guzi]

Thanks for your answer... Indeed it was disabled by default and I manually enabled it. I was in a hurry to download something off BT so I used the quickest solution. Well I guess I now have a good incentive to look into port forwarding on the DD-WRT :-)

Re:Function Risk - Facts Missed - Not Only IE....

[elwin_windleaf]

I agree - the problem is in the underlying Flash plugin, and uses the documented functionality of the 'navigateToURL' function and the 'URLRequest' object. This isn't as much a problem with browsers or Flash, though, as much as it is a weakness in UPnP.

Whatever browser you use, if you have one of those home Internet Gateway routers, then make sure UPnP is disabled and you're not using the default password!

Also, keep an eye on your other networked devices (phones, cameras, etc.) - they may also support UPnP and would be vulnerable.

Here's an update from GNUCITIZENS with further clarifications: http://www.gnucitizen.org/blog/flash-upnp-attack-faq

Re:If there's one thing I hate more than an 0wned

Of course the slippery slope is doing the same for myminicity, goatse links...

How dare you make racist comments against Asians, you insensitive clod!

Mitigation steps

[trianglman]

1) TURN OFF UPnP! Anyone who has been listening to Security Now has known about this issue for the past two years. UPnP is by design insecure. If it is turned off it can't be used to attack your router. The only reason to have it is so that you don't have to configure anything when a program decides it needs to be open to anyone contacting it. Personally, I would rather have control over when someone else can talk to my computer.

2) Browse with No-Script (or similar settings in the other browsers). If JavaScript and Flash are blocked as you are browsing sites and only turned on when you need them, you can't be hit by drive by attacks like this one. Heck, I've seen maybe 2-3 banners in the past couple months with a combination of No-script, Adblock, and Flashblock.

3) Change the default settings of your router. This won't prevent the attack described necessarily, at least without the above steps, but it will make sure those steps aren't for nothing. The most important thing this prevents is a CSRF attack to turn UPnP back on, even if you have it off. This also would require not staying logged into your router when you don't need to be (and routers without gaping CSRF holes built in that don't need passwords)

Just use static?

Or if you don't need to keep them dynamic, just use static IP addresses?

Are you sure?

[Corngood]

Have you tried doing the xbox network diagnostic? I suspect you will get something other than NAT: Open for the last test, and I've always had a lot more trouble connecting to games when the NAT wasn't open. Same thing goes for pretty much any P2P communication, you won't be able to communicate without one side having a traversable NAT.

You'd probably have much less trouble on live (assuming you play P2P), and with bittorrent, etc. if you had the ports forwarded properly.

P.S. I have a UPnP NAT device, but I still had to forward the ports manually in order to get NAT: Open on live, though UPnP seems to work ok with uTorrent, MSN, etc.

Re:Are you sure?

[mtmra70]

I have no problems with Live what so ever and the network test passes fully. I don't have problems with bittorrents either.....