Friday, January 12, 2007

UPnP & your Router

Recently I've come across what some would consider anomalies with their routers and UPnP support. Since I've spent the last 2 years working with UPnP routers, I figure I'd try to shed some light on the subject.

So you just bought a router, and it says it supports UPnP. First you want to know what UPnP is and why you should care.

UPnP stands for Universal Plug 'n Play. It's a generic name used across many different devices for devices that are supposed to "just work".

So why is UPnP a good thing?
UPnP's primary purpose is to make things "just work". You'll find UPnP on many low-end routers (think less than $150 usd). Many of these routers end up in homes, protecting one or two PCs from the internet, while providing automatic lan configuration via DHCP. The introduction of the router greatly simplified home networking, but made it much more difficult to "play" on the internet. In many cases services need to talk across the router, and to do that ports must be opened. Since the majority of the people are more interested in IM chat, IM video, email, and voice, they don't care how it works. Every UPnP router will support the ability to dynamically open ports on your router and close them as neccessary. For example, I bet you didn't know that your favourite IM client was poking holes in your firewall so it could talk to your friends PC. There are other optional components UPnP that allow additional configuration methods, although with it being optional, your router manufacturer is probably not going to implement it because it costs money, money is only recovered by increasing the price of the router. To keep the prices low, no one implements optional components, so when you see UPnP on your router, know that it's helping you out by opening ports and closing ports dynamically for you.

So why is UPnP questionable?
UPnP was created pre-2001, and hence, pre all security pushes of the Internet. UPnP's goal is to make things "just work" remember. Security was never a goal of UPnP. Picture this. You just finished writing a webpage on your network and want to share it with a friend, you make a UPnP call to open port 80 to point it to your system, but your roommate wrote a different webpage to share with a different friend, if your roommate asks last, he gets the port directed to his machine, and your friend is confused. With UPnP, anyone can make a programmatic request (without authentication) to your router to change your request.

This isn't such a big deal in a home, because typically there are no malicious users, and not so many PCs. It could be a problem in a business.

So what is Microsoft doing? We're investing in Web Services for Devices. Web services for devices is similar to UPnP, except it requires authentication to request the device to do what you want. Unfortunately you'll have to wait another year or so for WSD router devices to hit the market.

What other gotcha's should you pay attention to with UPnP?
Since the UPnP specification focuses on functionality and not user experience, all router manufacturers versions are slightly different. For example:

  • Some routers keep the list of opened ports in the User Interface, seperate from those open in the UPnP interface. Hence if you look at the firewall ports in the web interface, you could feel secure, but you could have every port open on your system.

  • Some routers can only hold up to 10 port mappings (it's a memory issue), and hence you can't have more than 10 port mappings at a time

So, don't be afraid of UPnP. Used correctly with a secure network, there is really no harm in enabling it, in fact, it's quite convenient. :)

Oh, and by secure, I mean WPA-PSK not WEP. ;o)


Sean Daniel said...

... and I cannot comment on which router venders do what.

Hilton Travis said...

Hi Sean,

I cannot see how anyone can recommend UPnP as anything but a major security vulnerability waiting to be exploited.

With its current implementation, anything that requests a port be opened will have that port opened.

That includes trojans, viruses and spyware, as well as rootkits and anything else that requests it.

This is simply unacceptable for use on the Internet today - at home or in a business environment.

UPnP is the antithesis of network security.

Sean Daniel said...


The downside is people still use it.

Anonymous said...

I would prefer to have UPnP up and running than keeping ports wide open even if an application or service isn't using them.