Homeland Security: Disable UPnP, as tens of millions at risk

For discussions about security.
Message
Author
User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

#16 Post by prehistoric »

As rcrsn51 points out, this is primarily a network insecurity, but system crackers can use any hole to compromise everything else.

Part of the problem is that the OS, (like XP originally,) opens ports in firewalls in order to use UPnP. One common cause system vulnerability to network attacks is that ports get opened for one purpose, then stay open. After a while the firewall begins to look like Swiss cheese.

Another aspect is that people configuring things so they can use them inadvertently open still other vulnerabilities. (When your system passes tests on the Shields-Up site, it offers little for a remote attacker to exploit.) Simply getting a networked printer to work can be such a frustrating experience that people in a hurry to print a report or school assignment may drastically compromise their network security. An attacker who knows what people commonly do in response to problems installing a particular printer can greatly speed up his rate of productive attacks by looking for systems where that printer model advertises its presence.

Routers play a key role, and more often than not, they are poorly configured. I keep finding routers with remote management enabled -- and the default password still present! What happens after this error is not limited by simple explanations. You may end up doing all your banking via Mexico. Most routers now have the ability to update firmware via the Internet. Some can support sophisticated Open Source firmware like DDWRT. (If an attacker can install this they can do just about anything. Fortunately, attackers with this kind of skill are rare.) Even without modifying firmware, an attacker who gains control of a router can create vulnerabilities, then lock you out.

I have a (non-wireless) router nearby which was converted to a brick by a remote update attempt. The person who gave it to me didn't even know remote firmware updates were possible.

@Wognath, there is generally no need for UPnP unless you are installing network devices. Best to leave it disabled on your computer at other times.

I've heard any number of arguments over cracking systems via the Internet versus LAN vulnerabilities. These tend to focus on vulnerable devices rather than people, getting the questions backwards.

I just had to explain to some friends that the network password on their home network, which they had been giving to friends who wanted to use their iPhones or Android phones for Internet access, also gave access to the whole LAN. An error in configuring sharing there will compromise your private data. Even if your next door neighbor is a fine upstanding sort, he might naively give your password to his deadbeat teenage hacker son.

The next level of debate involved the "guest" network I set up on their wireless for friends who just wanted Internet access at their house. They originally had the default password "guest". This might be OK if you were sure there were no pedophiles next door. Otherwise, you might find the police at the door with a search warrant some day. (It turned out they were concerned about one neighbor.)

They now have fairly weak passwords on the "guest" network. I'll remind them to change these once in a while. Access to private information is protected by stronger passwords. Nothing provides absolute security, but making it require effort to crack a system, without unduly inconveniencing everyone honest, will usually work. Make life too difficult for honest people, and they will disable security measures.

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#17 Post by rcrsn51 »

I own a little NAS box. It is set up to get an IP address by DHCP. It is Samba-compatible, so any Puppy client can detect it OOTB. I don't need to know its IP address.

It also has a web-based admin server. To access it, I have to scan my network for open Port 80's. Then I can run the admin tools through my web browser by using the IP address as the URL.

The same is true with XP. But in XP I have the option to turn on detection of uPnP devices. Now the NAS box shows up automatically in Network Places, so I don't need to hunt for its IP address.

From a security point of view, there is no real difference. Either way, an attacker could eventually find the box. But that assumes that an external attacker could even see inside my LAN, since it is hiding behind my router.

(But as Prehistoric pointed out, once you give someone the credentials to your wifi access point, you have made them members of your LAN!)

In theory, if an attacker could find the device, he could then use some exploit like a buffer overflow to compromise the service running on the open uPnP port.

But my NAS box also has a "cloud" feature where you can make it visible to external Internet users. One of the options is "Automatic Port Forward". Supposedly, this uses the uPnP protocols to tell a compatible router to open a hole to the box.

This option was set ON by default. From here:
The Universal Plug and Play protocol (UPnP) provides a feature to automatically install instances of port forwarding in residential Internet gateways. UPnP defines the Internet Gateway Device Protocol (IGD) which is a network service by which an Internet gateway advertises its presence on a private network via the Simple Service Discovery Protocol (SSDP). An application that provides an Internet-based service may discover such gateways and use the UPnP IGD protocol to reserve a port number on the gateway and cause the gateway to forward packets to its listening socket.
Why would any router allow this to happen invisibly?

Concerning printers: A client, either Linux or Windows, does NOT need uPnP to set up a networked printer. For example, CUPS searches your network for open Port 9100s. A Windows installer may be looking for some proprietary port.

However, if you have a uPnp-capable printer that also enabled port forwarding on your router, then you have a potential problem.

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#18 Post by nooby »

One would need someone good at explaining to noobs like me
how to do it on Puppy Linux. I don't trust I would get the text
on those links they talk about XP and not puppy.

I have a Dlink router and a Belkin and a Thomson
but use the D-Link just now.

What am I suppose to do?
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#19 Post by rcrsn51 »

nooby wrote:What am I suppose to do?
Probably nothing and you will be OK. But if you are really concerned, do the following.

1. Determine the IP address of your router. For example, if your own address is 192.168.2.14, then your router is probably 192.168.2.1.

2. Open a web browser and type in the IP address as the URL.

3. Look through the screens for any mention of uPnp. Don't change anything!

Wognath
Posts: 423
Joined: Sun 19 Apr 2009, 17:23

#20 Post by Wognath »

@nooby: my router manufacturer (Zyxel) recommended disabling UPnP. It's in the router's web management menus. I had to uncheck "enable WPS" and UPnP was disabled. It was my understanding that UPnP allows someone to join my network with a pin number of 8-digits, 4 of which are somewhat predictable.

edit: the Shields Up service at grc.com has a UPnP tester

If I understand, there is also intra-network UPnP on the individual XP computers which is not a security concern. I think this is not a Linux issue at all--but I hope the experts will confirm this. Following the advice of prehistoric, 8-bit and others, I'll probably disable that too since I don't use it, I think--I'll find out!
Last edited by Wognath on Fri 01 Feb 2013, 16:28, edited 1 time in total.

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

#21 Post by prehistoric »

rcrsn51 wrote:...
Concerning printers: A client, either Linux or Windows, does NOT need uPnP to set up a networked printer. For example, CUPS searches your network for open Port 9100s. A Windows installer may be looking for some proprietary port.

However, if you have a uPnp-capable printer that also enabled port forwarding on your router, then you have a potential problem.
My comment there was not about inherent vulnerability of the device, it more resembled social engineering to crack a system. You are well aware of what is necessary to detect and install printers, knowledge that I'm sure was hard won. The vast majority of people using computers with printers don't have a clue.

When a particular model of printer, router, etc. is difficult to install people will enter a mode I call "superstitious behavior". "This never was a problem back in the days when we ran DOS, Win95..etc. I'll just disable all the new-fangled stuff where the documentation makes noise about security."

There is no telling what uninformed people will do under these circumstances, but there are, unfortunately, a few people out there who will check to find out if they have opened network vulnerabilities in the process.

There is also a great deal of bad advice posted on-line. Some small part of it may have been contributed by people with ulterior motives. That is why I recommend not allowing any information about your local set-up out on the Internet unless it is necessary for operation.

A search for vulnerabilities which would be impossibly tedious for a person is duck soup for a carefully programmed machine.

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#22 Post by rcrsn51 »

Apropos, here something interesting.

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#23 Post by nooby »

Belkin wemo wifi remote switch control your home from anywhere.

WeMo is your home at your fingertips.
http://www.belkin.com/us/support-article?rnId=7081

so someone could maybe cause trouble
by taking full control over some gadget?

Scary

Yes I will try to find that upnp then.
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

#24 Post by prehistoric »

The next level of debate involved the "guest" network I set up on their wireless for friends who just wanted Internet access at their house. They originally had the default password "guest". This might be OK if you were sure there were no pedophiles next door. Otherwise, you might find the police at the door with a search warrant some day.
By sheer coincidence, this report just showed up in Florida.

The perpetrator got inside their LAN, which could also allow him to exploit UPnP vulnerabilities normally hidden behind the router, but the crap he downloaded was stored on his own computer. Had he cracked their computer and parked some in a hidden location on a device belonging to those neighbors they might now be facing a prison sentence.

Post Reply