Editing Universal Plug and Play (section)

===Authentication===
The UPnP protocol, by default, does not implement any [[authentication]], so UPnP device implementations must implement the additional ''Device Protection'' service,<ref>{{cite web |title=Device Protection V 1.0 |url=http://upnp.org/specs/gw/deviceprotection1/ |publisher=[[UPnP Forum]] |access-date=11 September 2014 |archive-date=17 October 2014 |archive-url=https://web.archive.org/web/20141017100420/http://upnp.org/specs/gw/deviceprotection1/ |url-status=dead }}</ref> or implement the ''Device Security Service''.<ref>{{cite web |title=Device Security and Security Console V 1.0 |url=http://upnp.org/specs/sec/security/ |publisher=[[UPnP Forum]] |access-date=11 September 2014 |archive-date=31 August 2014 |archive-url=https://web.archive.org/web/20140831071004/http://upnp.org/specs/sec/security/ |url-status=dead }}</ref> There also exists a non-standard solution called UPnP-UP (Universal Plug and Play - User Profile)<ref>{{cite web | title=UPnP-UP - Universal Plug and Play - User Profile | url=http://www.upnp-up.org/ | access-date=1 January 2012 | archive-date=10 December 2013 | archive-url=https://web.archive.org/web/20131210040433/http://www.upnp-up.org/ | url-status=dead }}</ref><ref>{{cite journal |last1=Sales |first1=Thiago |last2=Sales |first2=Leandro |first3=Hyggo |last3=Almeida |first4=Angelo |last4=Perkusich |date=November 2010 |title=A UPnP extension for enabling user authentication and authorization in pervasive systems |journal=Journal of the Brazilian Computer Society |volume=16 |issue=4 |pages=261–277 |doi= 10.1007/s13173-010-0022-2|doi-access=free }}</ref> which proposes an extension to allow user authentication and authorization mechanisms for UPnP devices and applications. Many UPnP device implementations lack authentication mechanisms, and by default assume local systems and their users are completely trustworthy.<ref>{{cite web | title= Shorewall and UPnP | url=http://www.shorewall.net/UPnP.html | access-date= 11 September 2014 |date=4 June 2014 |first=Thomas M. |last=Eastep}}</ref><ref>{{cite web | title= Linux UPnP Internet Gateway Device - Documentation - Security | url=http://linux-igd.sourceforge.net/documentation.php#SECURITY | access-date= 11 September 2014 }}</ref>

When the authentication mechanisms are not implemented, [[router (computing)|router]]s and [[firewall (computing)|firewall]]s running the UPnP IGD protocol are vulnerable to attack. For example, [[Adobe Flash]] programs running outside the sandbox of the browser (e.g. this requires specific version of Adobe Flash with acknowledged security issues) are capable of generating a specific type of [[HTTP]] request which allows a router implementing the UPnP IGD protocol to be controlled by a malicious web site when someone with a UPnP-enabled router simply visits that web site.<ref>{{cite web | title=Hacking The Interwebs |url=http://www.gnucitizen.org/blog/hacking-the-interwebs |date=12 January 2008 |access-date=11 September 2014}}</ref> This only applies to the [[#NAT traversal|"firewall-hole-punching"-feature of UPnP]]; it does not apply when the router/firewall does not support UPnP IGD or has been disabled on the router. Also, not all routers can have such things as DNS server settings altered by UPnP because much of the specification (including LAN Host Configuration) is optional for UPnP enabled routers.<ref name="igd-v1.0-v2.0" /> As a result, some UPnP devices ship with UPnP turned off by default as a security measure.