Most Home Routers Vulnerable to Flash UPnP Attack

An Anonymous reader noted that some folks at GNU Citizen have been researching UPNP Vulnerabilities in home routers, and have produced a flash swf file capable of opening open ports into your network simply by visiting an unfortunate URL. Looks like Firefox & Safari users are safe for now.

Turn off UPNP

[russ1337]

I thought the recommended steps for setting up a router were:

A. Unbox
B. Throw away the disk
C. Plug in your machine, Turn on the router and navigate to the webgui
D. Turn off UPNP
E. ??? (Change default name and password, set WPA, Turn off SSID etc....)
F. Profit...

The point is, I'd always been told to turn off UPNP 'cos sooner or later something is going to open ports that you don't know about.

Re:Turn off UPNP

[Corporate+Troll]

Change default name and password, set WPA, Turn off SSID etc....

I'm okay with all of that. The only thing I never get is why to turn off the SSID broadcast. If it's well secured, it doesn't matter if they know it's there or not. Besides, I'm pretty sure that just listening to traffic will reveal the presence of a wireless network.

Re:Turn off UPNP

[EvilRyry]

Right. And it's also rather annoying when you do a quick look around to find a vacant channel. "Oh look, no one is on channel 1, lets use that!" Only to find out a short while later that 5 networks are using that channel, but all of them have SSID broadcast disabled.

Anyone who can break into your wifi can probably find your SSID if broadcast is disabled, all you need to do is wait and listen.

Re:Turn off UPNP

[Tim+Browse]

Er, you 'don't get' the whole 'change default password crap'? Even though you 'usually' look up the password on a 'list of manufacturer default'?

Want to run that by us again? :-)

Re:Turn off UPNP

[MBGMorden]

The other funny thing is that he claims to be "completely crashing a router so it resets to factory defaults". Now most of them, do that after a firmware update (but you have to already have admin access for that, so no glory there), or if you do a a hardware reset, in which case you no physical access to the device. I have NEVER heard of any router that will reboot with factory default settings if it crashes (and believe me, my first D-Link router several years ago crashed on a near daily basis - the poor little processor inside of it couldn't keep up with the number of connections my P2P software was making).

Re:Turn off UPNP

[morgan_greywolf]

Using true static IPs is much less convenient than configuring a dhcp server to dole them out. One problem is moving a machine (like a laptop or lan-party gaming computer) between networks -- static IPs can make things sticky.

Re:Turn off UPNP

Yes, but the fact it's convenient doesn't change the fact that UPnP is a fundamentally stupid and broken protocol. Exploiting it is NOT a new phenomenon, it's been going on since it was introduced. If a LAN client wants to open a port then fine, but they should have to authenticate and supply a password ... preferably a unique one written on the bottom of the router WPA-PSK style, rather than "admin" or "linksys" ...

Re:Turn off UPNP

[Stavr0]

AC > I dont get the whole [yadda yadda yadda]

The hidden SSID and WEP encryption is meant as a polite message to white hat hackers that I'd rather they not use my AP as my bandwidth is metered by my ISP.

If you are an asshole who will hack and pwn my AP anyway then you're no better than the thief with the crowbar that smashes car windows to steal CDs and the spare change in coin boxes. If I'm lucky enough to be home as you do this, I'll grab my camera and a baseball bat to record your feats and your license plate, then use the baseball bat to smash your laptop to bits.
//Internet tough guy

Re:Turn off UPNP

[Stavr0]

Why don't you use WPA? It's 1000x better than WEP. I have a crusty old PDA which knows nothing about WPA.

The asshole that wants to crack it will need much more time, and as such will be discouraged even more There are open default and linksys APs right next to mine. Why bother with mine?

Re:Turn off UPNP

[KevReedUK]

planting a bush in your front yard that obscures a direct view of your front door

From a security perspective, I would never want one of these as, if someone were at my front door trying to pick the lock, they would be obscured from view. I find living in a neighbourhood where there is the appearance that all the neighbours are nosy is far more effective as a form of security.

Open WiFi + this = trouble?

[eknagy]

This will take an old-new argument to "to free or not to free my wifi" questions.

Re:Open WiFi + this = trouble?

[wbren]

From the article's comments:

The portforwarding rule attack was given as an example as this is probably one of the things that cannot be used right away by script kiddies and it is sufficient enough to prove a point.

The fact that ports can be forwarded to a given host is not the real point of this article. More serious would be someone resetting the admin password, allowing the attacker to do things like set the DHCP-assigned primary DNS server to a malicious one, just as an example. Given how often phishing attacks succeed, this seems like a legitimate threat. Notice that in this case the clients could be as hardened as can be, and they would still (unless a static DNS was manually entered) use the DNS server provided by the compromised router.

Turn off UPnP!

[ledow]

Turn off UPnP! Why on Earth do you want it on anyway? That's the problem here - an XSS is one matter, although being able to send SOAP-style requests across your local network is a major concern. But having a router that automatically opens ports based on virtually zero authentication? A nightmare waiting to happen.

Never used it. Never wanted it. Never turned it on. Always turned it off on EVERYTHING. UPnP is the problem here - a simple (unauthenticated) HTTP-style page requested in a browser suddenly starts opening ports to your network. It should not happen. Even my DSL router/wireless router/Linux router has SSL only, passworded access to do anything even approaching opening ports. And if a webpage pops up with an authentication dialog with the header "Wireless Router" and you type in your password, then you're a fool, unless you specifically requested the router's configuration page.

There's rarely even a log of what UPnP has done - which ports it's opened in the past etc. for whom.

Just turn the damn thing off. It's too dangerous.

Re:Turn off UPnP!

[slim]

The thing is, it's just so damn useful. For a TCP/IP savvy person, setting up, say, a Bittorrent client, or Xbox Live online play without UPnP is a chore. For normal people, it's voodoo. With UPnP (and the right client) it Just Works. Convenient or secure... guess what most people will choose?

But, agreed, it's scary stuff, if you believe your router ought to be a firewall. What's really needed is for home routers to start implementing authenticated UPnP, and for clients to work with it. (I must admit I've only glanced at the UPnP specs, but I seem to recall seeing references to an authenticated flavour).

Re:Nothing new, really

[Lumpy]

Yup, I have seen people computers infected from msn.com the banner ad's were at one time installing spyware from the default IE home page.

All it takes is to get your nastyness in a bunch of Ad rotations from doubleclick and other scumbag webad companies and you can hose a huge swath of the net.

Re:Nothing new, really

[Nullav]

Yes, but the social engineering requirement is more or less gone in this case. It takes substantially less work to convince someone to click a link than to download a file. (Granted, Bonzai Buddy got people by just being a purple ape.)
Why, look no further than the MyMiniCity/Goatse/2girls1cup links being posted here in every thread! At least one person clicks and ends up warning others. (Either by downmodding or posting.) Why, you just need someone who's curious enough to click.

On the other hand, it requires a bit of work to get someone familiar with malware to click on a 'you just won' banner and download the mystery prize. Don't even get me started on random email attachments following nonsense messages.

Re:Nothing new, really

[Brian+Gordon]

I agree, UPnP always seemed like a bad idea to me.. it's just fills up your network with multicast spam for lazy people who don't want to set up a proper network. Clients should have no control or peer-to-peer interaction.. networking is all about security, and doing everything server-side keeps things secure.

Re:Nothing new, really

[kilodelta]

That is the problem. It seems as though Flash is the way to go on this and if you're running Firefox you just run the Flashblock add-on. It puts a little 'f' where the flash module wants to run. Between Flashblock and AdBlock I love the web.

Re:Nothing new, really

[eat+here_get+gas]

Firefox with AdBlock+, EasyElement, EasyList, SpyBot S&D, SpywareBlaster, disable Flash and UPnP, SMC Barricade 7004VBR (w NAT and firewall)...what's the problem? I've been running this for several years with no infections.
99.9% of the shiit that gets blocked by these programs I don't need/want/miss anyway.

Re:Nothing new, really

[cheater512]

I use Linux with Seamonkey and..... uuhhh nothing else.
No infections either. :)

It looks like your doing everything except the simplest solution.

Oh and yes I use UPNP.

Re:Nothing new, really

[Cal+Paterson]

Firefox with AdBlock+, EasyElement, EasyList, SpyBot S&D, SpywareBlaster, disable Flash and UPnP, SMC Barricade 7004VBR (w NAT and firewall)...what's the problem?

That none of this is default?