Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Universal Plug and Play
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Problems== ===Authentication=== The UPnP protocol, by default, does not implement any [[authentication]], so UPnP device implementations must implement the additional ''Device Protection'' service,<ref>{{cite web |title=Device Protection V 1.0 |url=http://upnp.org/specs/gw/deviceprotection1/ |publisher=[[UPnP Forum]] |access-date=11 September 2014 |archive-date=17 October 2014 |archive-url=https://web.archive.org/web/20141017100420/http://upnp.org/specs/gw/deviceprotection1/ |url-status=dead }}</ref> or implement the ''Device Security Service''.<ref>{{cite web |title=Device Security and Security Console V 1.0 |url=http://upnp.org/specs/sec/security/ |publisher=[[UPnP Forum]] |access-date=11 September 2014 |archive-date=31 August 2014 |archive-url=https://web.archive.org/web/20140831071004/http://upnp.org/specs/sec/security/ |url-status=dead }}</ref> There also exists a non-standard solution called UPnP-UP (Universal Plug and Play - User Profile)<ref>{{cite web | title=UPnP-UP - Universal Plug and Play - User Profile | url=http://www.upnp-up.org/ | access-date=1 January 2012 | archive-date=10 December 2013 | archive-url=https://web.archive.org/web/20131210040433/http://www.upnp-up.org/ | url-status=dead }}</ref><ref>{{cite journal |last1=Sales |first1=Thiago |last2=Sales |first2=Leandro |first3=Hyggo |last3=Almeida |first4=Angelo |last4=Perkusich |date=November 2010 |title=A UPnP extension for enabling user authentication and authorization in pervasive systems |journal=Journal of the Brazilian Computer Society |volume=16 |issue=4 |pages=261β277 |doi= 10.1007/s13173-010-0022-2|doi-access=free }}</ref> which proposes an extension to allow user authentication and authorization mechanisms for UPnP devices and applications. Many UPnP device implementations lack authentication mechanisms, and by default assume local systems and their users are completely trustworthy.<ref>{{cite web | title= Shorewall and UPnP | url=http://www.shorewall.net/UPnP.html | access-date= 11 September 2014 |date=4 June 2014 |first=Thomas M. |last=Eastep}}</ref><ref>{{cite web | title= Linux UPnP Internet Gateway Device - Documentation - Security | url=http://linux-igd.sourceforge.net/documentation.php#SECURITY | access-date= 11 September 2014 }}</ref> When the authentication mechanisms are not implemented, [[router (computing)|router]]s and [[firewall (computing)|firewall]]s running the UPnP IGD protocol are vulnerable to attack. For example, [[Adobe Flash]] programs running outside the sandbox of the browser (e.g. this requires specific version of Adobe Flash with acknowledged security issues) are capable of generating a specific type of [[HTTP]] request which allows a router implementing the UPnP IGD protocol to be controlled by a malicious web site when someone with a UPnP-enabled router simply visits that web site.<ref>{{cite web | title=Hacking The Interwebs |url=http://www.gnucitizen.org/blog/hacking-the-interwebs |date=12 January 2008 |access-date=11 September 2014}}</ref> This only applies to the [[#NAT traversal|"firewall-hole-punching"-feature of UPnP]]; it does not apply when the router/firewall does not support UPnP IGD or has been disabled on the router. Also, not all routers can have such things as DNS server settings altered by UPnP because much of the specification (including LAN Host Configuration) is optional for UPnP enabled routers.<ref name="igd-v1.0-v2.0" /> As a result, some UPnP devices ship with UPnP turned off by default as a security measure. ===Access from the Internet=== In 2011, researcher Daniel Garcia developed a tool designed to exploit a flaw in some UPnP IGD device stacks that allow UPnP requests from the Internet.<ref>{{cite web | title=UPnP Mapping | url=https://www.defcon.org/images/defcon-19/dc-19-presentations/Garcia/DEFCON-19-Garcia-UPnP-Mapping.pdf |first=Daniel |last=Garcia |access-date=11 September 2014}}</ref><ref>{{cite web | title=US-CERT Vulnerability Note VU#357851 | url=http://www.kb.cert.org/vuls/id/357851 |date=30 November 2012 |access-date=11 September 2014 |publisher=[[CERT Coordination Center|CERT/CC]]}}</ref> The tool was made public at DEFCON 19 and allows portmapping requests to external IP addresses from the device and internal IP addresses behind the NAT. The problem is widely propagated around the world, with scans showing millions of vulnerable devices at a time.<ref>{{cite web |url=http://www.h-online.com/security/news/item/Millions-of-devices-vulnerable-via-UPnP-1794032.html |title=Millions of devices vulnerable via UPnP - Update |date=30 January 2013 |access-date=11 September 2014 |publisher=The H }}</ref> In January 2013, the security company Rapid7 in Boston reported<ref>{{cite web | title=Whitepaper: Security Flaws in Universal Plug and Play: Unplug, Don't Play. |url=https://community.rapid7.com/docs/DOC-2150 | access-date= 11 September 2014 |date=29 January 2013 |first=H. D. |last=Moore}}</ref> on a six-month research programme. A team scanned for signals from UPnP-enabled devices announcing their availability for internet connection. Some 6900 network-aware products from 1500 companies at 81 million IP-addresses responded to their requests. 80% of the devices are home routers; others include printers, webcams and surveillance cameras. Using the UPnP-protocol, many of those devices can be accessed and/or manipulated. In February 2013, the UPnP forum responded in a press release<ref>{{cite web | title=UPnP Forum Responds to Recently Identified LibUPnP/MiniUPnP Security Flaw. |url=http://upnp.org/news/documents/UPnPForum_IGDSecurity_PressRelease_Feb2013.pdf| access-date= 11 September 2014 |date=8 February 2013 |publisher=[[UPnP Forum]] }}</ref> by recommending more recent versions of the used UPnP stacks, and by improving the certification program to include checks to avoid further such issues. === IGMP snooping and reliability === UPnP is often the only significant multicast application in use in digital home networks; therefore, multicast network misconfiguration or other deficiencies can appear as UPnP issues rather than underlying network issues. If [[IGMP snooping]] is enabled on a switch, or more commonly a wireless router/switch, it will interfere with UPnP/DLNA device discovery (SSDP) if incorrectly or incompletely configured (e.g. without an active querier or IGMP proxy), making UPnP appear unreliable. Typical scenarios observed include a server or client (e.g. smart TV) appearing after power on, and then disappearing after a few minutes (often 30 by default configuration) due to IGMP group membership expiring. ===Callback vulnerability=== On 8 June 2020, yet another protocol design flaw was announced.<ref>{{Cite web|url=https://kb.cert.org/vuls/id/339275|title = CERT/CC Vulnerability Note VU#339275}}</ref> Dubbed "CallStranger"<ref>{{Cite web |url=https://callstranger.com/ |title=CallStranger CVE-2020-12695 |access-date=14 June 2020 |archive-date=16 June 2020 |archive-url=https://web.archive.org/web/20200616122554/https://callstranger.com/ |url-status=dead }}</ref> by its discoverer, it allows an attacker to subvert the event subscription mechanism and execute a variety of attacks: amplification of requests for use in DDoS; enumeration; and data exfiltration. OCF had published a fix to the protocol specification in April 2020,<ref>{{Cite web|url=https://openconnectivity.org/developer/specifications/upnp-resources/upnp/#architectural|title = OCF - UPnP Standards & Architecture}}</ref> but since many devices running UPnP are not easily upgradable, CallStranger is likely to remain a threat for a long time to come.<ref>{{Cite web|url=https://www.tenable.com/blog/cve-2020-12695-callstranger-vulnerability-in-universal-plug-and-play-upnp-puts-billions-of|title = CVE-2020-12695: CallStranger Vulnerability in Universal Plug and Play (UPnP) Puts Billions of Devices at Risk|date = 8 June 2020}}</ref> CallStranger has fueled calls for end-users to abandon UPnP because of repeated failures in security of its design and implementation.<ref>{{Cite web|title=Disable UPnP on Your Wireless Router Already|url=https://lifehacker.com/disable-upnp-on-your-wireless-router-already-1844012366|access-date=14 June 2020|website=Lifehacker|date=12 June 2020 |language=en-us}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)