Broadband News

UPnP combined with Flash may provide way of attacking computers

No security system is ever foolproof but we can do our best to make it hard for those who wish to gain unauthorised access to our networks. In this vein GNUCitizen.org has issued a warning about how Flash on any operating system that supports a reasonably recent version can access UPnP enabled routers or other UPnP enabled devices and cause potential trouble.

The short version is that the best thing to do is turn off UPnP (Universal Plug and Play) on your router. Normally this is done via the routers web interface, although the exact method will vary according to the router and for those not sure what to do, our own home networking forum section is a good place to seek assistance.

The original discussion thread may be too technical for many, and includes a proof of concept demonstration. An easier to follow FAQ for this Flash UPnP attack has been written.

Many websites use Flash and this attack does not rely on any holes in Flash but rather someone crafting Flash code that accesses a UPnP device, then when they have control of this telling the router or other device to carry out some deviant activity. The sorts of things that may be possible are:

  • Setting up port redirections to make holes in a routers firewall exposing computers on the local network.
  • Intercept or redirect DNS requests to alternate sites which phish for usernames and passwords. Online banking websites being the most obvious target.
  • Reconfigure a router breaking the broadband connection, or opening a Wi-Fi connection

This problem with UPnP arises because it does not have an authentication procedure built into the protocol. So disabling it completely seems to be the only sure fire solution. Disabling UPnP can lead to some software applications not working fully, e.g. audio/video conferencing in MSN Messenger, sometimes workarounds like manually configuring port forwarding in a router can fix applications that would otherwise use UPnP. One other option would be to disable Flash on your computers, but with many websites using Flash for legitimate reasons you may break functionality of many websites you regularly visit not to mention that it may be possible to cause problems using other plug-ins in the first place.

Comments

uPnP has been a security vulnerability from the day it was born, so I'm not surprised by this. Microsoft say "The initial implementation of UPnP technology in Windows XP, however, had some security vulnerabilities" and since then I've defaulted it to off.

  • herdwick
  • over 9 years ago

Whoever thought it was a good idea to provide no authentication, wants taking out and publicly flogging.

  • KarlAustin
  • over 9 years ago

It should be pointed out that the vulnerability does not rely on having UPnP running on the host computer.

So any problems with the Windows XP implementation are immaterial in this case, i.e. it is just as possible with Flash under OSX

  • andrew
  • thinkbroadband staff
  • over 9 years ago

or indeed a mobile phone, if you use your home wifi connection with your phone.

  • greedy4
  • over 9 years ago

Have to measure the risk. Quote "sometimes workarounds like manually configuring port forwarding in a router can fix applications that would otherwise use UPnP"

And opening an inbound NAT rule on your home router/firewall is a lot less secure than letting UPnP open the port for the few minutes its needed and close again automatically.

Technology like UPnP is seriously needed. Flash needs to be fixed fast - where's the update?

Does running IE7 Protected Mode in Vista (with UAC on) prevent this?

  • jchamier
  • over 9 years ago

Does running IE7 Protected Mode in Vista (with UAC on) prevent this? Only if this mode prevents Flash from running.

The problem is not Flash, this is just a vehicle for the vulnerability. Any exe on the computer could carry out this attack, including linux.

Whether mapping a port that is known and is for a specific application is more of a risk than UPnP is open to debate. So long as the application the port is mapped to is secure and has no exploits you are fine.

UPnP is needed, but it seems the need for security which many have called for before is back on the table.

  • andrew
  • thinkbroadband staff
  • over 9 years ago

for clarification I meant I default to turning UPnP off on routers.

Is UPnP needed ? not really. Putting holes in firewalls should be a concious action by a human to avoid exposure to risks like this.

  • herdwick
  • over 9 years ago

UPnP is used by a large range of apps today, and having permermant holes in your firewall is a bigger risk. (Some routers offer security features for UPnP connections including refusing requests from certain apps like browsers, but it's not authentication as-such)

Flash's multiple security flaws and other issues mean you should have it disabled anyway.

  • Dawn_Falcon
  • over 9 years ago

I tried about 2 months back telling a handfull of idiots in the forums UPnP was a nasty unsecure pile of poop... http://bbs.adslguide.org.uk/showflat.php?Cat=&Board=ukonline&Number=3174625&page=&view=&sb=&o=&vc=1
Of course they argued... Guess who is grinning now.

  • CARPETBURN
  • over 9 years ago

Hope it makes you feel all warm inside... :)

Like the guy said no system is fool proof and it's down to what risks you're willing to take and how prepared you consider your system is at dealing with any threats. Obviously no matter what you do you'll still be vunerable. I'll probably keep using my UPNP anyway - breaks most of the time anyway :(

  • lierobs
  • over 9 years ago

Yeah the alternative is to not use certain apps or to have holes permanently open. Tbh I'm not sure that UPnP is that big an issue if you have a firewall on each machine, keep your AV defense up to date and run as a limited user.

The fact that any application can do something naughty to your firewall is overlooking the harm that kind of application can do on the PC it runs on.

  • AndrueC
  • over 9 years ago

...and other machines on the network. You don't need UPnP to wreak havoc on a local network. Once you've downloaded bad software all bets are off anyway.

All that a UPnP attack does is make machines vulnerable to port-based overrun attacks from outside. If you've already downloaded the bad software it's too late.

UPnP is an issue..but not (IMO) such that it should be banned and dropped automatically.

  • AndrueC
  • over 9 years ago

Most home users won't be running many applications that listen to ports. The biggest problems are changing the router DNS, forwarding ports to external addresses, and hijacking the router admin account.

Browsers, email and RSS apps shouldn't generally require access to the local network, so blocking this via an application-layer firewall can help reduce the danger.

  • Jerusahat
  • over 9 years ago

@Jer:I'm not so sure about that. Windows Live Messenger uses half a dozen (at least) ports. P2P uses one. I'm not sure that the majority are listening but I think it's fair to say that a significant number of people are.

I still think UPnP is a secondary attack vector. Once you're in the position to attack a router you can already do most of what you might want.

Bouncing packets of the router by redirecting is about the only real plus of UPnP and I don't know how many routers can actually do that.

  • AndrueC
  • over 9 years ago

"...has issued a warning about how Flash on any operating system that supports a reasonably recent version.."
So an up to date Flash version is not vulnerable to this???

  • JDPower
  • over 9 years ago

I have a Belkin Wireless router which ships with UPnP disabled, Skype and Windows Live Messenger work with no problems. I've used this router for 4 years and have never experienced any problems with UPnP. It has to be stressed that the vulnerability lies within the router settings not Flash or whatever browser you use.

  • Pixie7
  • over 9 years ago

The most potentially serious problem mentioned here is the ability for router DNS settings to be changed by UPnP. However, I have verified that my router (Netgear DG834) will not allow DNS settings to be altered by UPnP, and I would hazard a guess that most do not. I've written more about this in the comments section at http://www.gnucitizen.org/blog/hacking-the-interwebs

  • oliver341
  • over 9 years ago

Post a comment

Login Register