UPnP combined with Flash may provide way of attacking computers
No security system is ever foolproof but we can do our best to make it hard for those who wish to gain unauthorised access to our networks. In this vein GNUCitizen.org has issued a warning about how Flash on any operating system that supports a reasonably recent version can access UPnP enabled routers or other UPnP enabled devices and cause potential trouble.
The short version is that the best thing to do is turn off UPnP (Universal Plug and Play) on your router. Normally this is done via the routers web interface, although the exact method will vary according to the router and for those not sure what to do, our own home networking forum section is a good place to seek assistance.
Many websites use Flash and this attack does not rely on any holes in Flash but rather someone crafting Flash code that accesses a UPnP device, then when they have control of this telling the router or other device to carry out some deviant activity. The sorts of things that may be possible are:
- Setting up port redirections to make holes in a routers firewall exposing computers on the local network.
- Intercept or redirect DNS requests to alternate sites which phish for usernames and passwords. Online banking websites being the most obvious target.
- Reconfigure a router breaking the broadband connection, or opening a Wi-Fi connection
This problem with UPnP arises because it does not have an authentication procedure built into the protocol. So disabling it completely seems to be the only sure fire solution. Disabling UPnP can lead to some software applications not working fully, e.g. audio/video conferencing in MSN Messenger, sometimes workarounds like manually configuring port forwarding in a router can fix applications that would otherwise use UPnP. One other option would be to disable Flash on your computers, but with many websites using Flash for legitimate reasons you may break functionality of many websites you regularly visit not to mention that it may be possible to cause problems using other plug-ins in the first place.