One of my sons-in-law asked me yesterday wheter he ought to disable upnp on his router. I asked him why, and he said he’d been told upnp wasn’t secure and he’d seen a recommendation to turn it off.
First I’d known of this, and my immediate reply was to ask him how he thought he’d be able to play back the music on his NAS via his NDX.
I believe that you can disable upnp, but then have to manually forward the link to other devices if you want to do things like that.
Any thoughts, or do I just dissuade him from doing it?
UPnP like almost anything else related to or connected to the Public Internet has had its fair share of vulnerabilities in the past.
It’s main purpose is to allow for discovery of services between hosts on your LAN with your Router acting as the mediator and to connect devices together without needing to know networking specifics or to setup static rules or port forwarding.
If you have a recent router/modem with up to date firmware on it it’s unlikely to create many issues, if you did find yourself having issues that were exploiting UPnP on your LAN then UPnP would be the least of your worries at that point!
If you are comfortable with configuring your network devices and essentially doing manually what UPnP is doing for you automatically, you can turn it off easily enough and things will all still work after some basic configuration changes.
By default now most ISP provided routers (UK at least) disable it by default so you have to make a end user choice to want it and use it out of the box anyway.
Well, we recently had an ‘upgrade’ of router to BT SmartHub 2. Naim app/NDS/NAS working OK (after the recent hiccup which I fixed by rebooting the router and NAS), so I don’t have any problem. I think I’ll just tell him to leave it all alone.
The only reason I asked, is that when I use the Naim App on the iPad, I usually go to the UPNP bit and select Asset there. Perhaps UPNP is not disabled on my router or the BT engineer enabled it when he set it up? I’ve no intention of messing with it, as it’s working fine ATM.
You have modern and up to date hardware, and importantly, your BT SmartHub is managed centrally and remotely by BT anyway using TR-069 so if there is a need to update or upgrade the firmware on it, that’ll happen whilst you’re asleep in bed anyway.
The vulnerability that he refers to is probably an old one from some years back whereby someone with some basic know how could compromise your router remotely and then open up ports to allow for remote access in from the outside world. That was patched and fixed so unless you have a really old router running firmware before those fixes did the rounds, you’re unlikely to need to worry about any compromises.
Your equipment will be safe to use and up to date as best it can be but of course no system is 100% secure, patched or not so the usual common sense and “don’t click that weird looking link” rules apply.
Asset is the name of the UPnP media server, that’s probably running on your NAS (Qnap/Synology etc) and disabled on your BT Router.
Asset will then act as both the UPnP server and the file server is in the same NAS hardware.
You can also refer your Son-In-Law to the Common Vulnerabilities and Exposures database which is a searchable reference on researched and published vulnerabilities.
I did a search string on UPnP which is linked below as an example:
Please note, that usually “UPnP on the router” refers to the router (!) being configurable via UPnP.
It usually does not refer to other devices speaking UPnP on the (local) network being connected to the router - they don’t need the router to help with this.
The “UPnP on the router” usually is not “protected”. So any software on any device on your local network can tell the router to “do stuff”. One typical function is to open up port-forwarding.
This is intended for e.g. streaming services (including games), media services, or data transfer services to better work between the inside and outside of your home network / internet. (Due to the NAT usually being performed on the router.)
The same function can be used by any virus/trojan/whatnot to open up ports for “incoming” traffic.
I agree, most software these days can work without (through NAT hole punching, transfer through HTTP, …) - but I always switch this function off on my routers.
It’s right to be cautious and to check things which you feel could be a compromise or threat to your equipment and data.
It’s always good policy to regular check and update devices and software which includes things like NAS drives which can and often do have more things running on them than you’d expect or at least be able to run them if you choose to or need to.
If you have an “Auto Update” setting on a device that’s helpful of course as then it will check by itself and update if needed.
A NAS is usually just a basic embedded computer running a version of Linux or BSD.
Sounds about right. Now if I could just persuade SWMBO to be more careful about web-surfing. I sneak down early about every 2 weeks and remove all the adware etc she has managed to install. I’ve tried to persuade her to ask me before installing ‘suggested software’, but it’s like talking to a brick wall.
Of course, all this is going on while attached to the same router as I use (well, why would I have 2)
Get an iPad and use that for the surfing stuff!
You can also run a separate OS in a virtual machine host application like Virtualbox (It’s just an app you run on a Mac or Windows PC) and use it just for web stuff, set it up, create a backup, then worse case scenario just bin the goofed up one and start again with a fresh one
I tried to persuade her tomhave an iPad when she wanted a new laptop 2 years ago, but she went into Currys/PCWorld and came out with a Macbook Pro! Total overkill, but she likes it, (sigh)
As I understand it, UPnP is a protocol that’s been around for some time in more applications than you can throw a stick at that enables a data stream between items such as NAS, renderer & control point. I don’t see what is a security concern.
You do not need to enable UPnP on your router in order to use a UPnP server on your network. As has been said, the advice is to disable it and doing so will not affect your UPnP servers or clients.
The UPnP feature on the router enables clients on the network to “easily” set up port mapping rules through the router without manual intervention that allow external IP addresses on the Internet to connect to your network. The issue with the UPnP protocol is there is no authentication so it can easily be exploited by malware to open ports to malware sites.
It’s probably fair to say that @Dungassin is satisfied the purpose of his post has been addressed and a suitable conclusion reached.
As previously specified, the distinction to make regards UPnP is where the Server is located and operational. This can be your router but more likely is on another device that sits on your private network behind that router such as a NAS or PC enabled for File Sharing.
It will typically be disabled by default on the router which is where historically the vulnerabilities occurred, running a UPnP server on a NAS or PC is not likely to cause any issues unless there is a specific vulnerability associated either with the UPnP Server application on the NAS/PC or elsewhere on the NAS/PC at which point this is another problem entirely and any device connected to the Internet can and may be subject to a vulnerability either existing or yet to be discovered.
General good practice is to leave it disabled on the router and where used as an application on a NAS or PC, like any other software, check and update it regularly or allow it to do so automatically to ensure you have the latest stability and security patches for the applications and device operating systems you are using.
Other obvious things to do might include ensuring you only connect to Internet websites using HTTPS, I use a Chrome Extension called HTTPS Everywhere for example which enforces end to end encryption when you’re browsing the web and warns you if you go to a site that isn’t well maintained or potentially compromised and defaults your connection to an unencrypted HTTP page which is sending data in the clear and a potential point of intrusion or means by which your browser can be compromised and arbitrary code executed usually by means of a Javascript or file download/execution in the background.
As your web browser is your main interface to the rest of the Web, be that good, bad and occasionally ugly, it’s important to keep it regularly updated and where possible to use additional layers of protection to act as a checkpoint to stop bad code getting in and importantly from running and doing anything you wouldn’t want it to.
UPnP applications like Asset or Minim are well maintained and regularly updated to minimise the risk of any threats in the wild as are the OS’s running on the more common NAS’s used from Qnap or Synology in particular.
Keep them up to date and where possible remove any remote access or remote administration features to avoid any possible points of compromise.
You should now be able to enjoy some music and relax finally, Friday after all…
I ran the UPnP test & it tested the BT Hub IP Address & reported back …
THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES
(That’s good news!)
