Turn Off UPnP Now!
UPnP exposes your network to the attackers. It turns out to be the security threat and leaves the doors open for malicious activities. What is UPnP and how it causes security problems to your home network? This blog is here to explain all that so be sure to read through the end.
Turn off UPnP now!
Note that while UPnP is turned off by default, it is not disabled when upgrading firmware. This means that if users upgraded from a version older than 5.5, likely for the vast majority of Hikvision cameras older than a few months, UPnP will still be enabled unless users manually disabled it.
Because UPnP automates the port forwarding process and is turned on by default on many routers supplied by ISPs, users may simply not be aware their cameras are port forwarded to the internet and potentially vulnerable to attack (see Hikvision Backdoor Exploit). Further, even those who are aware they are turning port forwarding on may not be aware of what services are running, as not all ports are documented in the camera's web interface.
I always disabled UPnP because everyone said so. Now that I looked into it, it turns out to be silly. When UPnP was new, some devices were found to allow configuration from the Internet. Anyone could open any port on it. Since then, router vendors had plenty of time to fix their software. Security is a much bigger thing now than it was in 2011 (that's about the time when the first iPad was released), so vendors are more aware of security issues. For older routers, if they were vulnerable in the first place, a firmware update has probably been released long ago.
Because NAT is ubiquitous in IPv4, many people started to rely on it for security: because you cannot reach individual hosts inside the network, vulnerabilities cannot be exploited from the outside, and people started turning off security measures inside their LAN. They neglected doing security updates and opened file shares without passwords (because nobody ever takes their laptop outside their LAN, right?), so now you need a firewall that is outside of your laptop, for example in your router. Combine this with the idea that UPnP can open ports, and you get misinformed answers such as the previously top-voted answer.
UPnP has been under fire for over a decade regarding its security vulnerabilities. Both the FBI and the Department of Homeland Security have suggested users disable their UPnP settings to minimize their risks of damage or exposure. A cursory internet search for "UPnP vulnerability" returns heaps of results illustrating the dangers of UPnP.
However, you don't have to rush out and turn it off. A properly configured router, one that is up to date and receives regular firmware updates, shouldn't have any issues with UPnP. Calculating your exposure is yet another part of the problem.
To answer some of these questions, Tenable wrote a simple Python script called upnp_info.py. You can find it on our GitHub. The script finds all UPnP services and enumerates their functionality. Check out the README for full details.
As you can see from the device type, this interface is not one of the standard profiles defined by the Open Interconnect Consortium (formerly the UPnP Forum). The standard profiles start with urn:schemas-upnp-org, but this HomeAutomationGateway profile starts with urn:schemas-micasaverde-com. This is a custom schema defined by MiCasaVerde (the maker of VeraLite).
Home system. Unmanaged client. In a workgroup of 3 pcs (no Macs), with wireless connectivity through the router to smart phones (2) and Android tablets (2) and a Chromcast dongle. Wired printer direct to the router. Just recently in the last two weeks, I started getting this now famous, "Symantec has been blocked for the following application svchost.exe" warnings every 3-4 minutes. Only appears on one PC. Searched around these forums - many problems similar to mine but not exactly alike. Looked at IPv6 implementation - it's turned off. The first line is a good sample of the logged entry...
Have you turned off UPnP? If not, give it a try. I suspect all of your connected devices will still work and your disappearing modem problem should be solved. Note that 5GHz WiFi and UPnP are separate issues; I still have not heard of a fix for the 5G issue.
My modem received a software update two days ago. So far it seems to have fixed my WiFi issue where it completely goes out. I have not tested turning on UPNP yet. Hopefully that has been addressed in this update too.
After switching to the RV180, I am now seeing an error message in iCloud under Back to my Mac (see attached images). iCloud is now asking me to "Setup my Router for Better Performance", as well as giving me an error message about UPnP being "turned off".
I had my two Emby servers (1 win 7, one unraid) shut down for a couple months while I worked on some other issues with the unraid machine. This past week I restarted Emby (windows 7) and updated it. All is working except the upnp for external access stopped working. I no longer see Emby on the upnp list of port forwarding. I do see the upnp list on the router routinely updating and it picked up a new install of playon, so that appears to be working. I turned off the windows 7 firewall and still no go. It is using the standard Emby ports 8096 and 8920 for internal and external. I do have an external domain and the boxes for https reporting and enable automatic port mapping. I have shut down and restarted Emby, as well as disabled/enabled upnp on the router. Earlier today I also rebooted the router. It is odd as this used to work fine. Plex and playon upnp are still working. I also stopped this server and tried the unraid version with the same results. I'll stick to troubleshooting the windows version for now. Posting the log. Any ideas?
Hi Luke. Thanks for the response. The router is an Actiontec MI424WR Rev I. It came with the Verizon service, now Frontier. I know I can set the port forwarding manually. It's just that upnp used to work on this exact same router with Emby a couple months back. I was hoping somebody might have had a similar experience and might be able to suggest just how to jiggle the handle to get it to work again. Questions.....What line(s) in the log show that it's requesting the port mapping? and will Emby do the upnp request each time I untick/tick the "Enable automatic port mapping"?
While the US Computer Emergency Readiness Team (US-CERT) specifically talks about devices that use versions of libupnp, the open-source portable software development kit (SDK) for UPnP earlier than 1.6.18, UPnP has been, is now, and will always be a security nightmare of a protocol.
Major UPnP problems have been showing up since 2001, and they've never stopped showing up. As Armijn Hemel, owner of UPnPhacks wrote, "In May 2006 I presented a paper called 'Universal Plug and Play: Dead simple or simply deadly'...In the years following my presentation very little has changed. A lot of routers are still shipped with grave security bugs, including involuntary onion routing, remote root exploits, and complete remote control over firewalls. New exploits are popping up, where bugs in Universal Plug and Play are exploited using a buggy Flash plug-in in a web browser, turning a mostly local attack into something a lot more dangerous. And that is just the beginning."
Once you find your vulnerable hardware, you can see if it has any way of letting you turn UPnP off. To do this, check the vendor's manual and online support for access to UPnP. It's all too possible, especially for consumer black box devices, there won't be any way to turn off.
That done, start checking for firmware updates for your device. The software patch, Portable SDK for UPnP Devices (libupnp 1.6.18) is out, but with the older, holey program in literally hundreds of different kinds of devices, I expect it to take months for the firmware to be updated in all of them. Indeed, I don't expect it to be updated at all in many older models.
@dididj is thinking UPNP can be used instead of manually setting up port forwarding in the router. That would be convenient for people who have UPNP turned on in their router. UPNP has some inherent security risks, so a lot of people do turn it off.
If one disables Cloud Access via the My Cloud Dashboard Settings all one is doing is turning off the remote access capabilities (not FTP though as that is a separate setting) of the unit. One will still have local network access to the device including Dashboard access.
One can try to turn off UPnP via SSH on the My Cloud by issing the /etc/init.d/upnp_nas stop command. Depending on which My Cloud version you have you can put that command into a CRON or user-start file to try and stop UPnP on the My Cloud. Use the forum search feature to search for how to stop UPnP as there is probably some past discussion on it in the discussions on the sleep issue.