
To prevent hacking, disable Universal Plug and Play now - llambda
http://arstechnica.com/security/2013/01/to-prevent-hacking-disable-universal-plug-and-play-now/
======
mstromb
"Rapid7 strongly recommends disabling UPnP on all external-facing systems,"
reads a little differently than "disable UPnP now"

Don't expose services to the internet that you're not willing to make public.
Duh? What I got from this article is that some devices that people connect to
the internet are configured poorly, probably came out of the box like that,
and that maybe I should go double check that my router isn't misbehaving. Note
that they have lists of vulnerable devices at the end of the paper, which I'll
link here.

libupnp:
[https://docs.google.com/spreadsheet/ccc?key=0ApUaRDtAei07dFd...](https://docs.google.com/spreadsheet/ccc?key=0ApUaRDtAei07dFdOWXdKRUVaUTdRYndnbW5zajRyTmc#gid=0)

miniupnp:
[https://docs.google.com/spreadsheet/ccc?key=0ApUaRDtAei07dDh...](https://docs.google.com/spreadsheet/ccc?key=0ApUaRDtAei07dDhwelZDQlYyQVJhbWRtUEIwVEVyRFE)

soapapi:
[https://docs.google.com/spreadsheet/ccc?key=0ApUaRDtAei07dGx...](https://docs.google.com/spreadsheet/ccc?key=0ApUaRDtAei07dGxkSHN1cEN3V2pmYW4yNkpZMlQ0Rmc)

The discussion of libupnp is kind of terrifying on its own: "There are no less
than seven unique buffer overflows in version 1.3.1 of this code." Which
sounds pretty bad until you notice that by "this code" they're referring to a
single function.

The paper itself is much better than the Ars article, by the way.

~~~
eropple
> _"Rapid7 strongly recommends disabling UPnP on all external-facing systems,"
> reads a little differently than "disable UPnP now"_

Ars Technica has been on a lowest-common-denominator kick as of late. Titles
like this get more pageviews.

~~~
Camillo
If the smart audience weren't so hell-bent on using Adblock, maybe Ars
wouldn't have to go after the dumb one for page views.

~~~
SCdF
I don't think it's that.

They've been fairly vocal in forums and random discussions about how page
views are what's most important to them (when people complained about the site
redesign the answer was invariably "page views are going up so it must be
working").

So I think that's the direction they're heading in. Changing the format of the
slug to be shorter and snappier improves page views. Following Kim Dotcom
stories, holding reverence for anonymous and being pro-piracy gets them page
views.

I do wish them all the best, and they are a business, but I do wish they were
more interested in pleasing their '10,000 fans' deeply instead of everyone
shallowly, since it's so hard to find that kind of thing these days.

(disclaimer, I used to pay money for Ars until the site design. Now I check it
every day but read about a 10th of the articles I used to. Sad times.)

~~~
vy8vWJlco
_"Following Kim Dotcom stories, holding reverence for anonymous and being pro-
piracy gets them page views."_

A difference of opinion isn't always pandering. (I find those stories pretty
interesting actually, and I've been reading them for a long time too.)

------
bensummers
On the plus side, we've now got another method for doing NAT traversal. :-)

------
jiggy2011
Anyone know if dd-wrt is vulnerable to this?

I would happily disable UPnP but it would break a ton of stuff including
online games etc.

~~~
vy8vWJlco
As of 2 years ago it was, so your's might be depending on the version, and the
ticket doesn't look like it went anywhere so it might still be open:

<http://svn.dd-wrt.com/ticket/1909>

If you're concerned and can't merely disable the service, you should scan it
from another system with something like Nessus.

Edit: UPnP uses UDP port 1900 and TCP port 2869, so you should be able to add
something like the following (untested; assumes WAN interface = vlan1) to the
startup script (Administration>Commands), atleast for IPv4 (and unless they
clobber additional rules somehow during the course of normal operation):

iptables -I INPUT 1 -i vlan1 -p tcp --dport 2869 -j DROP

iptables -I INPUT 1 -i vlan1 -p udp --dport 1900 -j DROP

------
meaty
Don't disable it. Just learn about it and use appropriately i.e. hit yourself
with the clue stick.

------
vy8vWJlco
Dan Kaminsky at 28C3, on UPNP (5min):

[http://www.youtube.com/watch?v=BE-
JB078Ax4&list=PL2AD825...](http://www.youtube.com/watch?v=BE-
JB078Ax4&list=PL2AD82574E471408A&index=5&t=0h24m38s)

------
zyb09
Anymore Info on this? Like what's the scope of the vulnerability and what
routers are affected. Don't really want to turn of UPnP, would be a pain.

~~~
colonelxc
[https://community.rapid7.com/community/infosec/blog/2013/01/...](https://community.rapid7.com/community/infosec/blog/2013/01/29/security-
flaws-in-universal-plug-and-play-unplug-dont-play)

------
Nursie
I was always suspicious of UPnP on routers anyway - why allow a compromised
device on the inside to just open up whatever ports it feels like?

~~~
Hello71
Because if you allow anything outbound and anything inside the LAN then you're
screwed anyways (reverse TCP console).

------
kbar13
in windows 7:

meta key (windows key) + r to open the run dialogue

type in `services.msc`

find "UPnP Device Host"

right click the entry

click "stop"

use the Startup type dropdown menu to select "Disabled"

apply

~~~
jiggy2011
You should disable it on your router , not your desktop (unless you are using
a Win 7 computer as your router for some weird reason).

------
goggles99
LOL I remember when Steve Gibson (grc.com) was preaching this same message....
That was 10 years ago (must be a slow news day at ars)

