Slashdot Mirror

← Back to Stories (view on slashdot.org)

Most Home Routers Vulnerable to Flash UPnP Attack

Posted by CmdrTaco on from the oh-this-will-go-well dept.

An Anonymous reader noted that some folks at GNU Citizen have been researching UPNP Vulnerabilities in home routers, and have produced a flash swf file capable of opening open ports into your network simply by visiting an unfortunate URL. Looks like Firefox & Safari users are safe for now.

12 of 253 comments (clear)

  1. Turn off UPNP by russ1337 · · Score: 5, Insightful

    I thought the recommended steps for setting up a router were:

    A. Unbox
    B. Throw away the disk
    C. Plug in your machine, Turn on the router and navigate to the webgui
    D. Turn off UPNP
    E. ??? (Change default name and password, set WPA, Turn off SSID etc....)
    F. Profit...

    The point is, I'd always been told to turn off UPNP 'cos sooner or later something is going to open ports that you don't know about.

    1. Re:Turn off UPNP by Z-MaxX · · Score: 5, Informative

      I thought the recommended steps for setting up a router were:
      ... D. Turn off UPNP I guess that is the wise choice. But UPnP is very handy for me because my home machines always get different IPs from my router, so if I want to port-forward BitTorrent ports to me laptop, desktop, etc., I have to go in and change the port-forwarding config on the router every time I get assigned a new IP. Big PITA. But then I discovered how Azureus can use UPnP to automagically forward the ports for me on the fly. It seems to work fine. Too bad it's a security risk.
      --
      Dr Superlove 300ml. I use my powers for awesome
    2. Re:Turn off UPNP by yuna49 · · Score: 5, Informative

      BitTorrent users often use uPNP to punch a hole through the router for torrents. Many torrenting "how-tos" specify using uPNP for this purpose, and it's commonly enabled in many BT clients like Azureus and uTorrent. For most of these people, uPNP is a godsend since it eliminates the need to mess around with portforwarding in the router configuration.

    3. Re:Turn off UPNP by FlashBIOS · · Score: 5, Informative

      See if your router supports port triggering or look for that feature in your next router. It is a way to automate port forwarding, and would help you in your setup without being the security risk UPnP is.

    4. Re:Turn off UPNP by pipatron · · Score: 5, Informative

      Configure your DHCP server (your router in this case) to always give the same IP to the machines that you run server software on. It's trivial, really.

      --
      c++; /* this makes c bigger but returns the old value */
    5. Re:Turn off UPNP by binaryspiral · · Score: 5, Funny

      For most of these people, uPNP is a godsend since it eliminates the need to mess around with portforwarding in the router configuration.

      If uPNP is a godsend to those people... they need to get a better God.

    6. Re:Turn off UPNP by _.-+thimk!+-._ · · Score: 5, Informative

      There are a couple of principles you seem to be missing, starting with the idea of relative security. It is possible to make a wireless network 'more secure' than it is, as configured by default out of the box. It does help, in the same way that improving the security on the average home helps. Will it stop someone determined to get in? Very probably not. Can you make it easier for someone to go to the house next door, that has not implemented any of the steps to secure themselves? Yes. As a rule, people are usually lazier than they are determined to get into one specific network. If folks are serious about wanting a secure network, there are all sorts of things they can do. Most of them involve not having a wireless connection, or spending a *lot* more time, money, and effort on it than folks do on the average home network. Having noted that, let's look at your list.

      Hidden SSID: One commonly expressed theory behind hiding a SSID is similar to why you lock your car. If your car is locked, it's a less attractive target than one which isn't. Hiding your SSID does make a network a less obvious target than one which is visible. It doesn't impede any serious search for networks by someone knowledgeable, but it will remain hidden to casual view. Is this vaguely inconvenient? Possibly, but then, really, so are locks. Really, I've never been so fond of that analogy.

      If you like, I think a better analogy might actually be that hiding your SSID is like planting a bush in your front yard that obscures a direct view of your front door. It doesn't really make your door any more secure, in and of itself, but it might make it less obvious that there's a door there to begin with. Someone simply walking by might not notice it, but someone sitting in their car, watching folks come and go is sure to notice it. It just makes it more likely that a casual passerby might try one of the obvious doors nearby to see if they can get in, rather than trying yours.

      MAC Filtering: Similarly, MAC filtering is better than not MAC filtering. The observer can't get on the network unless they spend enough time analyzing active traffic to sift for MAC info. Yes, with the right tools 'enough time' is relative, and not all that long. But, if you're not around using your wireless network when they're doing the analysis, it's difficult to obtain that info, since your MAC isn't being broadcast to begin with. Is it perfect security? Not by any means, but, again, it's a lot easier to get onto a network that's not using it than one which is. Not everyone is running Kismet with a wireless network card configured in promiscuous mode, and even with the number of folks who are, most are more likely to roll a half block down to the completely open network that's almost invariably there than spend time trying to get onto the more secure network, simply for the challenge of it.

      Change the default password: If you seriously don't understand this, then you are completely clueless, regardless what tools you're using. Just because you can guess a few passwords using the short list that unimaginative folks commonly use doesn't mean that you can guess any password. (Of course, script kiddies commonly don't have any idea why what they use works, but that doesn't mean it doesn't.) If you were thinking at all about what you were writing, you'd see you make the point yourself as to exactly why it's important. You commonly 'just look up manufacturers default passwords'. If they set a proper password, it makes things more difficult, and you have to try to guess it. With a good password, you're not going to simply guess it.

      Crashing the Router: As for your alternative, no decent router should ever come back up with the factory presets after a simple crash. It should always come up with the custom settings, or, failing that, remain hung until manually reset by hand. Even if they do come up with the factory defaults, for modern routers at least, that should be with the external management interface disabled.

      Not

  2. Re:Nothing new, really by Anonymous Coward · · Score: 5, Informative

    Well yes. If you never visit a site with adverts. Or the Internet as it's otherwise known. Sure, you can block them (and I do) but sometimes sites switch to new providers and you are vulnerable for the time it takes to update the block file.

    I'm not really surprised to be honest - I always thought UPnP looked fishy to me so I disabled it on my router. I don't like the idea that anyone coming to visit can plug in their malware-ridden Windows laptop and reconfigure my router. Sure, having it turned off means X-Box Live is less happy but that only decreases the number of people who can call me "fag" on a daily basis. I wonder if Microsoft will update the X-Box Live support page where they say that UPnP doesn't make your network insecure...

    I also have Flash disabled by default because it is well known to be insecure and buggy and a delivery system for malware. Most proper web-browsers either let you enable flash on a per-site basis or will allow you to do so with a plug-in and this is really the way to go.

  3. Open open... by ElGanzoLoco · · Score: 5, Funny

    [...] a flash swf file capable of opening open ports into your network [...]

    Hold on, now I'm confused: does this attack open open ports, or does it open ports open? Or even worse, does it open open open ports? :D

    --
    Hello! I'm a disaster waiting to happen!
  4. Re:DD-WRT? by jrumney · · Score: 5, Informative

    If the firmware has UPnP IGD enabled, then your machine is vulnerable to this attack.

    The vulnerability is really Flash not restricting what untrusted scripts can do. The router's UPnP IGD profile is working as designed - an application on a machine within the firewall requests that an incoming port be forwarded, so the router does that. This is useful for VoIP, IM, P2P and other applications that need to be contactable from the outside world. Malicious programs that are running on your machine can always initiate outgoing connections, so generally the UPnP IGD is not allowing anything that cannot already be done. In the case of Flash, it is probably blocking most outgoing connections, so UPnP does expand the possibilities for a malicious Flash app to initiate connections with your machine. But unless Flash also allows you to open server sockets, the attacker would also need to find an exploitable service running on your machine.

    All this should be detectable by a decent firewall program running on your local machine.

  5. Re:Turn off UPnP! by slim · · Score: 5, Insightful

    The thing is, it's just so damn useful. For a TCP/IP savvy person, setting up, say, a Bittorrent client, or Xbox Live online play without UPnP is a chore. For normal people, it's voodoo. With UPnP (and the right client) it Just Works. Convenient or secure... guess what most people will choose?

    But, agreed, it's scary stuff, if you believe your router ought to be a firewall. What's really needed is for home routers to start implementing authenticated UPnP, and for clients to work with it. (I must admit I've only glanced at the UPnP specs, but I seem to recall seeing references to an authenticated flavour).

  6. Re:Nothing new, really by Lumpy · · Score: 5, Insightful

    Yup, I have seen people computers infected from msn.com the banner ad's were at one time installing spyware from the default IE home page.

    All it takes is to get your nastyness in a bunch of Ad rotations from doubleclick and other scumbag webad companies and you can hose a huge swath of the net.

    --
    Do not look at laser with remaining good eye.