Most Home Routers Vulnerable to Flash UPnP Attack

An Anonymous reader noted that some folks at GNU Citizen have been researching UPNP Vulnerabilities in home routers, and have produced a flash swf file capable of opening open ports into your network simply by visiting an unfortunate URL. Looks like Firefox & Safari users are safe for now.

Nothing new, really

[Billosaur]

It all hinges on going to a malicious web site. Just like email trojans, if you resist temptaion and use some common sense, do you really have to worry about this?

Re:Nothing new, really

[someone1234]

Yes. You may not be sure if a site is malicious or not, without visiting it.
And some sites may become malicious suddenly because of all those syndicated ads around.

Re:Nothing new, really

Well yes. If you never visit a site with adverts. Or the Internet as it's otherwise known. Sure, you can block them (and I do) but sometimes sites switch to new providers and you are vulnerable for the time it takes to update the block file.

I'm not really surprised to be honest - I always thought UPnP looked fishy to me so I disabled it on my router. I don't like the idea that anyone coming to visit can plug in their malware-ridden Windows laptop and reconfigure my router. Sure, having it turned off means X-Box Live is less happy but that only decreases the number of people who can call me "fag" on a daily basis. I wonder if Microsoft will update the X-Box Live support page where they say that UPnP doesn't make your network insecure...

I also have Flash disabled by default because it is well known to be insecure and buggy and a delivery system for malware. Most proper web-browsers either let you enable flash on a per-site basis or will allow you to do so with a plug-in and this is really the way to go.

Re:Nothing new, really

[lordofwhee]

Let's not forget XSS attacks, this is the kind of thing they're perfect for.

Re:Nothing new, really

[Lumpy]

Yup, I have seen people computers infected from msn.com the banner ad's were at one time installing spyware from the default IE home page.

All it takes is to get your nastyness in a bunch of Ad rotations from doubleclick and other scumbag webad companies and you can hose a huge swath of the net.

Re:Nothing new, really

[Nullav]

Yes, but the social engineering requirement is more or less gone in this case. It takes substantially less work to convince someone to click a link than to download a file. (Granted, Bonzai Buddy got people by just being a purple ape.)
Why, look no further than the MyMiniCity/Goatse/2girls1cup links being posted here in every thread! At least one person clicks and ends up warning others. (Either by downmodding or posting.) Why, you just need someone who's curious enough to click.

On the other hand, it requires a bit of work to get someone familiar with malware to click on a 'you just won' banner and download the mystery prize. Don't even get me started on random email attachments following nonsense messages.

Re:Nothing new, really

[jandrese]

The annoying thing about it is that applications (especially games!) are written these days assuming you're either directly connected or behind a uPNP router. I had a hell of a time trying to get C&C3 working over my BSD based router because it assumed I was using uPNP.

Re:Nothing new, really

[kilodelta]

That is the problem. It seems as though Flash is the way to go on this and if you're running Firefox you just run the Flashblock add-on. It puts a little 'f' where the flash module wants to run. Between Flashblock and AdBlock I love the web.

Re:Nothing new, really

[eat+here_get+gas]

Firefox with AdBlock+, EasyElement, EasyList, SpyBot S&D, SpywareBlaster, disable Flash and UPnP, SMC Barricade 7004VBR (w NAT and firewall)...what's the problem? I've been running this for several years with no infections.
99.9% of the shiit that gets blocked by these programs I don't need/want/miss anyway.

Re:Nothing new, really

[mcmonkey]

Yup, I have seen people computers infected from msn.com

Isn't that redundant? The GP already stated,

It all hinges on going to a malicious web site.

Re:Nothing new, really

[cheater512]

I use Linux with Seamonkey and..... uuhhh nothing else.
No infections either. :)

It looks like your doing everything except the simplest solution.

Oh and yes I use UPNP.

Re:Nothing new, really

[Cal+Paterson]

Firefox with AdBlock+, EasyElement, EasyList, SpyBot S&D, SpywareBlaster, disable Flash and UPnP, SMC Barricade 7004VBR (w NAT and firewall)...what's the problem?

That none of this is default?

Turn off UPNP

[russ1337]

I thought the recommended steps for setting up a router were:

A. Unbox
B. Throw away the disk
C. Plug in your machine, Turn on the router and navigate to the webgui
D. Turn off UPNP
E. ??? (Change default name and password, set WPA, Turn off SSID etc....)
F. Profit...

The point is, I'd always been told to turn off UPNP 'cos sooner or later something is going to open ports that you don't know about.

Re:Turn off UPNP

[Corporate+Troll]

Change default name and password, set WPA, Turn off SSID etc....

I'm okay with all of that. The only thing I never get is why to turn off the SSID broadcast. If it's well secured, it doesn't matter if they know it's there or not. Besides, I'm pretty sure that just listening to traffic will reveal the presence of a wireless network.

Re:Turn off UPNP

[Z-MaxX]

I thought the recommended steps for setting up a router were:
... D. Turn off UPNP I guess that is the wise choice. But UPnP is very handy for me because my home machines always get different IPs from my router, so if I want to port-forward BitTorrent ports to me laptop, desktop, etc., I have to go in and change the port-forwarding config on the router every time I get assigned a new IP. Big PITA. But then I discovered how Azureus can use UPnP to automagically forward the ports for me on the fly. It seems to work fine. Too bad it's a security risk.

Re:Turn off UPNP

[yuna49]

BitTorrent users often use uPNP to punch a hole through the router for torrents. Many torrenting "how-tos" specify using uPNP for this purpose, and it's commonly enabled in many BT clients like Azureus and uTorrent. For most of these people, uPNP is a godsend since it eliminates the need to mess around with portforwarding in the router configuration.

Re:Turn off UPNP

[FlashBIOS]

See if your router supports port triggering or look for that feature in your next router. It is a way to automate port forwarding, and would help you in your setup without being the security risk UPnP is.

Re:Turn off UPNP

[EvilRyry]

Right. And it's also rather annoying when you do a quick look around to find a vacant channel. "Oh look, no one is on channel 1, lets use that!" Only to find out a short while later that 5 networks are using that channel, but all of them have SSID broadcast disabled.

Anyone who can break into your wifi can probably find your SSID if broadcast is disabled, all you need to do is wait and listen.

Re:Turn off UPNP

[pipatron]

Configure your DHCP server (your router in this case) to always give the same IP to the machines that you run server software on. It's trivial, really.

Re:Turn off UPNP

[Tim+Browse]

Er, you 'don't get' the whole 'change default password crap'? Even though you 'usually' look up the password on a 'list of manufacturer default'?

Want to run that by us again? :-)

Re:Turn off UPNP

[binaryspiral]

For most of these people, uPNP is a godsend since it eliminates the need to mess around with portforwarding in the router configuration.

If uPNP is a godsend to those people... they need to get a better God.

Re:Turn off UPNP

[MBGMorden]

The other funny thing is that he claims to be "completely crashing a router so it resets to factory defaults". Now most of them, do that after a firmware update (but you have to already have admin access for that, so no glory there), or if you do a a hardware reset, in which case you no physical access to the device. I have NEVER heard of any router that will reboot with factory default settings if it crashes (and believe me, my first D-Link router several years ago crashed on a near daily basis - the poor little processor inside of it couldn't keep up with the number of connections my P2P software was making).

Re:Turn off UPNP

[ookabooka]

Agreed. I'm sure there are even games that support uPnP so when you host a game, the appropriate port is automatically forwarded. IMO, if you keep a tidy computer network with virus scanners on your computers and scan for malware, then it's not much of an issue. It's still better than hooking up your computer directly to the internet and having window's services exposed. You have to compromise the computer before you can use UPnP to allow the attacker in anyways. What's so bad about having a lock thats easy to disable from the inside? It basically comes down to ease of use versus security. I happen to think the benefits of having programs being able to quickly do port forwarding themselves so I don't have to outweigh the possibility that someone can use the same ability to make a trojan work because I feel I am relatively safe (I'm not an idiot and acknowledge nothing is 100% foolproof) against such security breaches.

Re:Turn off UPNP

[morgan_greywolf]

You're right, but many routers do NOT support this feature out-of-the-box, the most notable of these being the WRT54G.

Personally, I just run a standard ISC DHCP daemon on one of my boxes and then configure it to dole out addresses to machines that need 'static' IPs for server functionality. I also have a dynamic port range for other boxes and devices that can change without any adverse effects.

On a Linux machine (currently there are packages for Ubuntu, Debian and Fedora, plus some others), this can be made easy by the use of the gadmintools' ghdpcd.

Re:Turn off UPNP

[morgan_greywolf]

Using true static IPs is much less convenient than configuring a dhcp server to dole them out. One problem is moving a machine (like a laptop or lan-party gaming computer) between networks -- static IPs can make things sticky.

Re:Turn off UPNP

[_.-+thimk!+-._]

There are a couple of principles you seem to be missing, starting with the idea of relative security. It is possible to make a wireless network 'more secure' than it is, as configured by default out of the box. It does help, in the same way that improving the security on the average home helps. Will it stop someone determined to get in? Very probably not. Can you make it easier for someone to go to the house next door, that has not implemented any of the steps to secure themselves? Yes. As a rule, people are usually lazier than they are determined to get into one specific network. If folks are serious about wanting a secure network, there are all sorts of things they can do. Most of them involve not having a wireless connection, or spending a *lot* more time, money, and effort on it than folks do on the average home network. Having noted that, let's look at your list.

Hidden SSID: One commonly expressed theory behind hiding a SSID is similar to why you lock your car. If your car is locked, it's a less attractive target than one which isn't. Hiding your SSID does make a network a less obvious target than one which is visible. It doesn't impede any serious search for networks by someone knowledgeable, but it will remain hidden to casual view. Is this vaguely inconvenient? Possibly, but then, really, so are locks. Really, I've never been so fond of that analogy.

If you like, I think a better analogy might actually be that hiding your SSID is like planting a bush in your front yard that obscures a direct view of your front door. It doesn't really make your door any more secure, in and of itself, but it might make it less obvious that there's a door there to begin with. Someone simply walking by might not notice it, but someone sitting in their car, watching folks come and go is sure to notice it. It just makes it more likely that a casual passerby might try one of the obvious doors nearby to see if they can get in, rather than trying yours.

MAC Filtering: Similarly, MAC filtering is better than not MAC filtering. The observer can't get on the network unless they spend enough time analyzing active traffic to sift for MAC info. Yes, with the right tools 'enough time' is relative, and not all that long. But, if you're not around using your wireless network when they're doing the analysis, it's difficult to obtain that info, since your MAC isn't being broadcast to begin with. Is it perfect security? Not by any means, but, again, it's a lot easier to get onto a network that's not using it than one which is. Not everyone is running Kismet with a wireless network card configured in promiscuous mode, and even with the number of folks who are, most are more likely to roll a half block down to the completely open network that's almost invariably there than spend time trying to get onto the more secure network, simply for the challenge of it.

Change the default password: If you seriously don't understand this, then you are completely clueless, regardless what tools you're using. Just because you can guess a few passwords using the short list that unimaginative folks commonly use doesn't mean that you can guess any password. (Of course, script kiddies commonly don't have any idea why what they use works, but that doesn't mean it doesn't.) If you were thinking at all about what you were writing, you'd see you make the point yourself as to exactly why it's important. You commonly 'just look up manufacturers default passwords'. If they set a proper password, it makes things more difficult, and you have to try to guess it. With a good password, you're not going to simply guess it.

Crashing the Router: As for your alternative, no decent router should ever come back up with the factory presets after a simple crash. It should always come up with the custom settings, or, failing that, remain hung until manually reset by hand. Even if they do come up with the factory defaults, for modern routers at least, that should be with the external management interface disabled.

Not

Re:Turn off UPNP

[InvisiBill]

WRT54G (Arguably the most prolific consumer grade router in existence) does support static IP assignments via DHCP.

Certain versions, at least, do not. That was the main reason I switched to DD-WRT. The compact version also did not support it last I knew (a friend has this router).

But yes, even the D-Link DI-704 that I purchased in 2000 for $20 (i.e. it was really cheap a really long time ago) did support reserved DHCP, and I'll never again use a router without it. I personally find it unforgivable that Linksys' instructions for port forwarding essentially tell you to completely disable DHCP and just manually configure every device on your network.

Re:Turn off UPNP

[Stavr0]

AC > I dont get the whole [yadda yadda yadda]

The hidden SSID and WEP encryption is meant as a polite message to white hat hackers that I'd rather they not use my AP as my bandwidth is metered by my ISP.

If you are an asshole who will hack and pwn my AP anyway then you're no better than the thief with the crowbar that smashes car windows to steal CDs and the spare change in coin boxes. If I'm lucky enough to be home as you do this, I'll grab my camera and a baseball bat to record your feats and your license plate, then use the baseball bat to smash your laptop to bits.
//Internet tough guy

Re:Turn off UPNP

[Corporate+Troll]

I linked this already elsewhere. It doesn't mention anything about being used for encryption, so I hope you're wrong. (You're not: WPA-PSK uses it in the hash-function of passwords.) Still, the SSID is unhideable, since the first link shows it's transmitted in cleartext.

Re:Turn off UPNP

[adolf]

All of us self-respecting geeks realized, years ago, that it was far cheaper, easier, and better to run OpenWRT/DD-WRT/Alchemy on a WRT54G from Wal-Mart, than to maintain yet-another-fucking-PC at home.

It's a good gig: A Linux box with 5 Ethernet ports and a WiFi radio for ~$50.

Having zero moving parts and negligible power consumption is a big help, too.

Re:Turn off UPNP

[RpiMatty]

Just make a couple of .bat files to change your ip address. (I am assuming windows because you said gaming machine).

netsh interface ip set address name="Local Area Connection" static 192.168.101.2 255.255.255.0 192.168.101.1 1

That will set your ip to 192.168.101.2 with a gateway of 192.168.101.1 - Fill in your own home network values.

Here is a 3 line .bat file to set dhcp, renew your address, and pause to show you the results.

netsh interface ip set address "Local Area Connection" dhcp
ipconfig /renew "Local Area Connection"
pause

I have about 6 different batch files in a folder in my Quick Launch toolbar on my WinXP work laptop. It takes 2 clicks for me to change my ip address. If I go to a new site where I need to create a new static ip, I just copy of one the batch files, rename it and put in the new information.

Re:Turn off UPNP

[Stavr0]

Why don't you use WPA? It's 1000x better than WEP. I have a crusty old PDA which knows nothing about WPA.

The asshole that wants to crack it will need much more time, and as such will be discouraged even more There are open default and linksys APs right next to mine. Why bother with mine?

Re:Turn off UPNP

[Cramer]

Simple. Buy one of the new Linksys Draft-N routers and put it in 40MHz mode. It'll stomp all over them.

Re:Turn off UPNP

[KevReedUK]

planting a bush in your front yard that obscures a direct view of your front door

From a security perspective, I would never want one of these as, if someone were at my front door trying to pick the lock, they would be obscured from view. I find living in a neighbourhood where there is the appearance that all the neighbours are nosy is far more effective as a form of security.

Re:Turn off UPNP

[adolf]

You preach to the choir.

I have several PCs (one desktop, one old laptop, one ancient laptop) which I've tried to eliminate moving parts from.

The desktop is a machine which I occasionally use through a KVM, which only exists to operate a Soundblaster Live card using (exceptionally fine) KX Audio Driver. This turns an old (and also exceptionally fine), quadraphonic Pioneer receiver into a exquisitely-tweaked biamplification setup for the computer room's audio, while being able to convert to a rather featureful bass guitar amplifier at the push of a button.

The hard drive is gone, its old-skool K6-2 heatsink/fan combo replaced by a huge heatsink from the high-dissipation Socket A days, and its power supply fan replaced with a slow-moving thermostatically-controlled job which should last for decades. Storage is a 2-gigabyte Transcend compact flash card, which seems to contain Windowx XP just fine. (2000 would have worked just as well, but I already had an extra XP license and felt that it might as well be doing something.)

The old laptop is a rather lousy Compaq P166. It sits on my wife's desk for the sole purpose letting her use Thottbot. Again, the hard drive is a 2-gig flash card. It runs some variation of Ubuntu, with Firefox, and that's it. The CPU fan is unmodified, but in this application it's never required to spin anyway.

The ancient laptop is what was once a very high-end (~$3,700) NCR/AT&T 386SLC box with a monochrome VGA screen. There's no floppy drive, no CD drive, and (at this point) no keyboard. Its power supply is a 12VDC wall wart soldered to battery terminals. The CMOS battery died ages ago. The top cover broke into little bits long ago, and has been replaced by a heavy stainless steel and aluminum fabrication bolted to the display hinges. It survived for two days under floodwater without any apparent harm other than a heavy layer of silt over entire motherboard (which it doesn't seem to mind at all). With a 512MB flash card in place of its hard drive, it does fine hanging on the wall displaying a backlit, NTP-synchronized clock. Its only remaining moving parts are the power switch and the contrast control.

At this point, it seems important to note that there is one thing that all of these machines have in common with eachother: They're PCs. They all some combination of expansion, visual output, or human input in order for them to work in their desired capacity. Even the aforementioned Frankenstein laptop needs a PS/2 port, in order to unwedge the BIOS at bootup because of its dead battery.

But a router? It doesn't need these things -- not even the battery. It's got 5 Ethernet ports, which is plenty for my house. They all share the same 100mbps pipe to the CPU, and are only individually addressable by configuring them for VLAN, which is way more than good enough for my cable modem connection at home. It configures just swell with SSH, so it needs no local display or keyboard. And with all that connectivity, it needs no expansion (though I did hack in a 256MB SD card for no particular reason).

And there's one thing it does which your scrap-built m0n0wall box is lacking: WiFi. The WRT54G includes a rather nice dual-diversity 802.11g radio by default, with real antenna connectors and good power output (in case I ever feel like blanketing a city block with WiFi).

I mean, if I were still using a PC as a router (as I did do for the decade between 1995 and 2005), I'd still have to buy an access point/hostap-supported NIC/wireless router in order to use my laptop on the couch.

As I see it, since the WRT54G does all of this stuff for $50, the situation can be looked at in one of two ways: Either the access point was free, or the router was free. Plus, I get to use all of the parts which didn't get used building a PC-based firewall for more interesting projects or spares.

So, let's review: A WRT54G is smaller (more room for real computers), cheaper, better, has lower power consumption (a few do

Open WiFi + this = trouble?

[eknagy]

This will take an old-new argument to "to free or not to free my wifi" questions.

Re:Open WiFi + this = trouble?

[wbren]

Open WiFi access points are a security nightmare regardless of exploits like this, so the same basic advice still holds: open WiFi access points should be isolated from your "trusted" network. Security vulnerabilities aside, open access points are a legal nightmare waiting to happen (child pornography, phishers, DDoS attacks, intrusion, etc.) In other words, avoid them. Regarding your specific question about this UPnP exploit and open APs, the open AP could be potentially used as a phishing goldmine, especially in high-traffic areas. Since the exploit is not limited to port forwarding (in fact almost anything could be done to the router's configuration), users could potentially be tricked into doing all sorts of things (via DNS spoofs, packet manipulation, etc.) The only difference in the case of an open AP is the scope of the damage, as more users will likely connect to an open vs. closed network. Obviously that attack really only makes sense for non-encrypted sites, since this is exactly the type of thing SSL is designed to prevent.

Re:Open WiFi + this = trouble?

[wbren]

From the article's comments:

The portforwarding rule attack was given as an example as this is probably one of the things that cannot be used right away by script kiddies and it is sufficient enough to prove a point.

The fact that ports can be forwarded to a given host is not the real point of this article. More serious would be someone resetting the admin password, allowing the attacker to do things like set the DHCP-assigned primary DNS server to a malicious one, just as an example. Given how often phishing attacks succeed, this seems like a legitimate threat. Notice that in this case the clients could be as hardened as can be, and they would still (unless a static DNS was manually entered) use the DNS server provided by the compromised router.

Mozillazine forums had this two years ago

[dotancohen]

There was a thread on the Mozillazine forums about malicious JavaScript changing router settings about two years ago. Unfortunately, in October Mozillazine had a big foulup and many threads (and users, me included) were lost. I cannot find the thread now, but if I do I'll post back with a[n] URL. The thread's conclusion was that one should never leave the default password on the router.

My Home router is a Linux NAT Box.

[Zombie+Ryushu]

My home router is a Linux NAT Server. (I sorta have a pissant about the fact that those things to be called "Routers" I have a DI-704, and I couldn't get it to route between two actual subnets. It only would NAT.

Anyway, my point. What about things like the Linksys WRT54GL?

The thing is, it would be awesome if there was a flash drive driven Linux device with a Cisco Style com port that ran off flash, could be OpenLDAP Server, Samba DC, Kerberos KDC, NAT Server, or actual router WITH a Cisco style Console port that are cheap. Why does this not exist??

Re:My Home router is a Linux NAT Box.

The WRT54g can have a serial port hacked into it for configuration. It's a fairly simple job if you have a soldering pencil around. They can also mount a SMB file system on boot so you can run whatever you want on the device. This filesystem can contain a shell script to be executed, allowing you to set up whatever you'd like to run at boot on the router.

Re:My Home router is a Linux NAT Box.

[AMuse]

If you really want to tinker around with Linux as a home NAT/Firewall device, you would love the Soekris NET4801 or NET5501 boxes.

I have one (I have no financial relationship with them other than customer) and I really love it. Very low power, 4GB flash card (up to 8 now I think), 1GB of RAM, no fans, no noise and if I want to I can put a large USB external drive (or small laptop drive inside) to do NFS/SMB/ETC.

All that and the wonder of Linux IPTables, routing, NATting, OpenVPN, OpenSSH for around $300. I replaced an old P3 box I had been using as a router and my power bill thanks me every month. :)

Also, each unit ships with a free pudding!! (Warning: Pudding may be evil.)

Let me be the first...

[sticks_us]

...in this thread anyway, to recommend the flashblock plugin.

I installed it a couple of weeks ago, and really enjoy it. Banner ads have all but disappeared, and I don't even really notice (except for faster page loads and cleaner page layouts). If I want to see a YouTube video, that's easily accomplished--just click on the "F" icon in the blocked section of the page.

As an added bonus, I'm protected from all of these recent security breaches we've seen for Flash...aren't I?

Re:Let me be the first...

[TheCRAIGGERS]

Firefox is safe anyway, for the time being.

Still, NoFlash... NoScript... soon I'll have to install NoImage and NoCSS. I guess it's time to go back to Gopher.

Browsers

[JackSpratts]

as usual opera is resistant.

Open open...

[ElGanzoLoco]

[...] a flash swf file capable of opening open ports into your network [...]

Hold on, now I'm confused: does this attack open open ports, or does it open ports open? Or even worse, does it open open open ports? :D

Turn off UPnP!

[ledow]

Turn off UPnP! Why on Earth do you want it on anyway? That's the problem here - an XSS is one matter, although being able to send SOAP-style requests across your local network is a major concern. But having a router that automatically opens ports based on virtually zero authentication? A nightmare waiting to happen.

Never used it. Never wanted it. Never turned it on. Always turned it off on EVERYTHING. UPnP is the problem here - a simple (unauthenticated) HTTP-style page requested in a browser suddenly starts opening ports to your network. It should not happen. Even my DSL router/wireless router/Linux router has SSL only, passworded access to do anything even approaching opening ports. And if a webpage pops up with an authentication dialog with the header "Wireless Router" and you type in your password, then you're a fool, unless you specifically requested the router's configuration page.

There's rarely even a log of what UPnP has done - which ports it's opened in the past etc. for whom.

Just turn the damn thing off. It's too dangerous.

Re:Turn off UPnP!

[slim]

The thing is, it's just so damn useful. For a TCP/IP savvy person, setting up, say, a Bittorrent client, or Xbox Live online play without UPnP is a chore. For normal people, it's voodoo. With UPnP (and the right client) it Just Works. Convenient or secure... guess what most people will choose?

But, agreed, it's scary stuff, if you believe your router ought to be a firewall. What's really needed is for home routers to start implementing authenticated UPnP, and for clients to work with it. (I must admit I've only glanced at the UPnP specs, but I seem to recall seeing references to an authenticated flavour).

Re:Turn off UPnP!

[GrievousMistake]

Additionally, it's nice to let hosts on the network setup their own port forwarding without having root access to the router, for example when you rent out a house with several apartments that share the same internet connection.
My old router used to have an option to only let hosts modify UPNP bindings to their own IP, which is good enough security for me.

What I don't get about this exploit is, if you already have a flash application running on a victim's machine that can make arbitrary outgoing connections, couldn't you just as easily proxy your connections through the flash application? So it's not like you gain access to anything that you didn't have access to already.

Re:DD-WRT?

[jrumney]

If the firmware has UPnP IGD enabled, then your machine is vulnerable to this attack.

The vulnerability is really Flash not restricting what untrusted scripts can do. The router's UPnP IGD profile is working as designed - an application on a machine within the firewall requests that an incoming port be forwarded, so the router does that. This is useful for VoIP, IM, P2P and other applications that need to be contactable from the outside world. Malicious programs that are running on your machine can always initiate outgoing connections, so generally the UPnP IGD is not allowing anything that cannot already be done. In the case of Flash, it is probably blocking most outgoing connections, so UPnP does expand the possibilities for a malicious Flash app to initiate connections with your machine. But unless Flash also allows you to open server sockets, the attacker would also need to find an exploitable service running on your machine.

All this should be detectable by a decent firewall program running on your local machine.

WHERE $money; PUT $mouth

[ronadams]

I dont get the whole turn off ssid and mac filtering, change default password crap. more often than not kismet works out the ssid if hidden, mac can be spoofed using macchanger, and i usually guess peoples passwords or look it up on list of manufacturer default list. the alternative is to completely crash a router as it just resets with factory defaults and you can completely take over the router.

I live in Cincinnati, Ohio. You come (wirelessly) break into my router, change the current settings by opening port 1337, and I'll refund the cost of your travel (as determined by hotwire or expedia's fare rates on the day of your travel), and pay you $100 additional, all in cash on the same day.

It's a SOHO router, but I won't tell you what make/model -- if your prowess is as you claim, you should have no trouble determining that. You may not enter the apartment or inspect any systems currently connected -- but you shouldn't need to. I have no other firewalls, proxy servers, or tricks on the front end of this router -- it's straight from modem to unit. You may have 48 consecutive hours to complete the task.

Still confident? Email me at radams theatsign tohuw.net and make arrangements.

Re:WHERE $money; PUT $mouth

[bignetbuy]

Challenging an anon coward...

Yeah, that'll work.

Re:WHERE $money; PUT $mouth

Here's the problem. Home routers normally support only WEP and WPA-PSK. WEP is a joke. I have software on my laptop that performs a linear keyspace attack against WEP - that is to say that a 128 bit key (really 104 bits...) only takes twice as long to break as a 64 bit key.It's called a fragmentation attack. WEP is not only dead, it's stinking up the place and needs to be hauled away for public health reasons. This leaves you with WPA-PSK. There's a well understood method for breaking that as well - you use a broadcast deauthenticate attack to kick the workstations off the network, and force them to reauthenticate - than you snag the authentication challenges, and attack them with using a rainbow table. One rainbow table used for this is about 40BG, but that's still reasonable given the cost of external USB hard drives...

Changing the settings is a bit more difficult - but I wouldn't class it as impossible by any stretch of the imagination.

Re:WHERE $money; PUT $mouth

[ronadams]

I'm aware of both of those issues. My offer still stands.

Re:Questions about Wireless Router Security

[Tony+Hoyle]

If a flash plugin can make outgoing XML requests it can persuade a upnp server to make your machine wide open, thus completely disabling your firewall. Making those kind of requests sounds like the kind of thing you want Flash to do, so I'd imagine all versions are vulnerable.

There are some ports.. 137,139,445,etc. that you really don't want on the open internet. If the plugin does something like a port forward of 0-65535 to your machine suddenly *every* service on there is wide open to any attack. It'll bypass protections from eg. the default XP firewall as the packets will appear to be coming from the local LAN (the router) rather than the original source.

It's not just flash (although a malicious advert on a page is the most obvious vector for this). Anything that runs on your machine can do it.. I reckon you could craft such an attack in javascript even (XMLHttpRequest with the right code).

Once the ports are open anything that manages to run on your machine can leave itself wide open without having to make telltale outgoing port connections (although it's often said that outgoing connections are the reason upnp is 'not worse' than existing protections, no working trojan would work in that manner, since the target of the outgoing connection would quickly be found and shut down.. OTOH leaving a trojan on your machine listening on your machine waiting for the command to send spam/infect others/distribute child porn/whatever is much more real a thread).