Description of the Linksys UPnP issue written for the average user.

[+Warwagon MVC]

Here is a Description of Linksys UPnP issue.

I wrote this up for my Facebook page, but feel free to share it with friends or family. They should be able to understand it because it was written with the average user in mind.

It has recently been discovered that UPnP on Linksys routers is accessible from the internet. But what does that even mean?

First let me tell you what UPnP is, why people use it and why this latest discovery is very bad.

When you put your machines behind a router, you are blocking traffic on the internet from accessing any of those machines. By traffic I don't mean browsing the net. I'm talking about other computers on the net trying to talk to yours. Instead of talking to your computer they talk to your router instead. The router is just a dumb box and ignores the machines trying to talk to it. In most cases, this is great and is the reason why a router makes a great firewall. But sometimes you want traffic to be able to come in through the router and talk to your computer, as is the case with online gaming systems such as the Xbox 360. If the Microsoft Servers and other people on the net can't connect or talk to your Xbox 360, then online gaming doesn't work very well.

So Microsoft developed a technology called UPnP. It comes standard on all routers. It allows devices to communicate directly with the router and automatically configures it to let information in that would normally be blocked.

Here is how it works.

Xbox 360 - Hey Router are you there?

Router - Yep, I'm here, what do you need?

Xbox 360 - I was wondering if you would be so kind as to open Port 88, 3074, 53 and 80, so my Xbox Live Service will work.

Router- Ok all done. All of the ports you asked about are now open and you are good to go.

While this makes it extremely easy for the home user, to get things up and running it can also be used for bad. For instance..

A Virus - Hey Router are you there?

Router - Yep I'm here, what do you need?

A Virus - I was wondering if you would be so kind as to open port 666, so that this ?back-door Trojan virus? I have can be accessed by my creator in Nigeria.

Router - All done! Port 666 is now open and ready to go.

So as you can see, while on one hand it makes things very easy, it's also pretty dangerous.

In the past, UPnP was only configurable from a machine inside the network. It has recently been discovered that Linksys routers are now letting machines on the Internet (the other side of the router) configure UPnP.

So what does that mean?

Bad guy on the internet - Hey Router are you there?

Router - Yep I'm here what do you need?

Bad Guy - I was wondering if you would be so kind as to open the "File and printer sharing port" 139, so that I can access any files or documents the user has shared on that computer.

Router - All done! Port 139 is now open and you should be able to access those files just fine!

Pretty freaky, huh? At this point you are probably thinking "OH SWEET JESUS! How do I turn UPnP off!"

Well that's what I'm about to tell you.

First open up your web browser.

1) In the address bar type in http://192.168.1.1 and press enter (Now this is usually the number to get into a Linksys router. If that number is different that means you changed it and should enter the new number instead).

2) You will be prompted for a username and a password. Use admin for both the username and the password. (Once again those are the defaults. If you changed the password use the new password you created instead.)

Now in step 3 this might differ on different Linksys routers. I'll just tell you where it usually is.

3) Click the "Administration" tab on top.

4) Click the "Disable" option for UPnP.

5) At the bottom click "Save Settings"

You are finished. UPnP is now disabled on your router.

Most people will never miss UPnP. BUT, now that UPnP is disabled, for systems like "Xbox Live" to work, you will have to do something called ?port forwarding.? There is documentation on the internet on how to do it. Just go to http://portforward.com/. Find the model number of your Linksys Router and it will explain how to ?port forward?. On that site DO NOT DOWNLOAD ANY SOFTWARE. Once you click on the router model number click the "Default Guide" and follow its instructions.

[Sikh]

Im glad you posted this because recently ive noticed this when I was setting up some "dumb" stock linksys routers. But, I usually flash all linksys routers with DD WRT(i make sure I get models that can be flashed) and havent noticed as UPNP on DD WRT works like it should.

But recently I noticed this but wasnt sure and thought my mind was playing tricks on me.

Thanks war!

[0sit0]

I'm not sure how it works exactly but there's a "secure" method (Tomato Firmware). This is what it says

(when enabled, UPnP clients are allowed to add mappings only to their IP)

so I'm guessing this would stop outsiders from opening ports.

[Roxkis]

Good Post! Thank you for the info!:laugh:

[ozgeek]

warwagon, you need to understand why linksys did what they did. Perhaps making their routers more accessible to an increasing number of internet-enabled devices, not just computers, not just xbox360. If you tell people to disable things like this, it might only cause more problems than it might solve down the road, for example when they buy a internet enabled TV? What happens if the TV can't connect? Might think a broken TV and take it back and the cycle repeats. Or trying to do file sharing on a newly bought laptop or second comptuer through windows file sharing?

I would recommend you be careful as if you change settings on devices that aren't yours, you might be liable for damage by the owner because everyone have different network situations and because your own network settings don't work for everyone. Inexperienced people are told to leave settings alone if they are not sure how to configure it. I haven't heard of any issues with being on default settings.

Yes I know it might protect them but remember there are still devices connected to the internet through a basic modem. Yes that's right a basic single modem connected straight to the device.

Remember router makers sets default settings based on the ever-increasing internet/networking industry. More devices are using the internet not just computers and game consoles. TVs, Printers, Hard drives, smartphones, just to name a few. So they need to cater for the increasing population that have no idea how computers works but just uses them for facebook or net TV.

You are overly paraniod for something so trivival. Even I who have two routers with their default settings, and a Steam account of 6 years without any problems.

[Squirrelington]

warwagon, you need to understand why linksys did what they did. Perhaps making their routers more accessible to an increasing number of internet-enabled devices, not just computers, not just xbox360. If you tell people to disable things like this, it might only cause more problems than it might solve down the road, for example when they buy a internet enabled TV? What happens if the TV can't connect? Might think a broken TV and take it back and the cycle repeats. Or trying to do file sharing on a newly bought laptop or second comptuer through windows file sharing?

I would recommend you be careful as if you change settings on devices that aren't yours, you might be liable for damage by the owner because everyone have different network situations and because your own network settings don't work for everyone. Inexperienced people are told to leave settings alone if they are not sure how to configure it. I haven't heard of any issues with being on default settings.

Yes I know it might protect them but remember there are still devices connected to the internet through a basic modem. Yes that's right a basic single modem connected straight to the device.

Remember router makers sets default settings based on the ever-increasing internet/networking industry. More devices are using the internet not just computers and game consoles. TVs, Printers, Hard drives, smartphones, just to name a few. So they need to cater for the increasing population that have no idea how computers works but just uses them for facebook or net TV.

You are overly paraniod for something so trivival. Even I who have two routers with their default settings, and a Steam account of 6 years without any problems.

Everything would still work with upnp disabled, you'd just have to manually forward the port(s). Also if the WAN side of the device has access to open and forward ports into the lan, thats an extreme security risk, only devices on the lan side should be able to configure upnp and only for its own ip (i.e. 'internet enabled tv' can forward ports for itself only).

[ozgeek]

Everything would still work with upnp disabled, you'd just have to manually forward the port(s).

That's my point. People shouldn't have to muck through things like this. They expect devices to just connect. How many people know how to forward ports? I even don't know how to do it and all my devices works fine. Hey, stop messing things around and they might stop messing around with you down the road.

[Squirrelington]

That's my point. People shouldn't have to muck through things like this. They expect devices to just connect. How many people know how to forward ports? I even don't know how to do it and all my devices works fine. Hey, stop messing things around and they might stop messing around with you down the road.

You're right on one point, they shouldn't have to mess with this setting however Linksys/Cisco left their firmware vulnerable to a grave flaw. Anyone on the internet, with your IP, can open ports on your router such as the example warwagon gave of port 139 and dig through your system or even windows exploits/holes that would normally be blocked because you're on the nat sided of the router and I know of too many people they do not regularly install their windows updates.

[HawkMan]

The average user will of course never have shared a file in his/her life and would by default have windows firewall or an A/V firewall on. and this isn't just a linksys issue.

[+BudMan MVC]

"It has recently been discovered that UPnP on Linksys routers is accessible from the internet. But what does that even mean?"

"In the past, UPnP was only configurable from a machine inside the network. It has recently been discovered that Linksys routers are now letting machines on the Internet (the other side of the router) configure UPnP."

Source??

Don't get me wrong, I have never been a fan of UPnP -- but where is your source for this info?? I have not seen any info about this, and I would think it would be huge news..

[+Warwagon MVC]

"It has recently been discovered that UPnP on Linksys routers is accessible from the internet. But what does that even mean?"

"In the past, UPnP was only configurable from a machine inside the network. It has recently been discovered that Linksys routers are now letting machines on the Internet (the other side of the router) configure UPnP."

Source??

Don't get me wrong, I have never been a fan of UPnP -- but where is your source for this info?? I have not seen any info about this, and I would think it would be huge news..

http://www.h-online.com/security/news/item/UPnP-enabled-routers-allow-attacks-on-LANs-1329727.html

[+BudMan MVC]

yeah I think that this might be a bit overblown..

From his website FAQ

http://toor.do/upnp.html

8 - Are whole series of devices affected by these problem ?

No, some people have interpreted the news that way, but the devices affected are listed on www.upnp-hacks.org. That means some SPECIFIC models of Linksys with specific firmware's are affected. There could be many other devices affected, but we don't know yet. The most important stacks on the wild right now are the Speedtouch/Thomson and the Broadcom/Zyxel/TP variety. The Broadcom variety is rarely seen open. You are still able to retrieve XML description files on the WAN port, but actually executing the UPnP action rarely goes through.

http://www.upnp-hacks.org/devices.html#linksys

I find it HIGHLY unlikely that any serious number of devices with CURRENT firmware would be listening for UPnP on the wan interface -- better advice would be to keep your devices firmware updated, because yes its quite possible that someone messes up and allows UPnP on the wan interface.

I think his tool could be finding a bunch of OLD **** ;)

9 - Are you saying there are 612k out there open to execute UPnP actions ?!?!

NO! Those are XML description files from UPnP devices being fetched. The fact that you can retrieve the XML description files(although sometimes a problem on Information Disclosure) does not mean you can actually execute UPnP actions. We do not know the exact percentage of devices that are actually executing the actions, but random testing out of those 612k are showing high numbers. Some routers still have firewalls enabled by default, that block most incoming requests on WAN, encasing portmapping attacks to a smaller scope.

Again like I said before I have never been a fan of UPnP, and sure services that you are not using should be disable - this is common sense security. If you not using FTP, you shouldn't be running a ftp server ;) If you not using file sharing - then file sharing should not be enabled, etc..

But I would hope your not trying to scare people into disabling a service they are using and have need of?

[+Warwagon MVC]

yeah I think that this might be a bit overblown..

From his website FAQ

http://toor.do/upnp.html

8 - Are whole series of devices affected by these problem ?

No, some people have interpreted the news that way, but the devices affected are listed on www.upnp-hacks.org. That means some SPECIFIC models of Linksys with specific firmware's are affected. There could be many other devices affected, but we don't know yet. The most important stacks on the wild right now are the Speedtouch/Thomson and the Broadcom/Zyxel/TP variety. The Broadcom variety is rarely seen open. You are still able to retrieve XML description files on the WAN port, but actually executing the UPnP action rarely goes through.

http://www.upnp-hacks.org/devices.html#linksys

I find it HIGHLY unlikely that any serious number of devices with CURRENT firmware would be listening for UPnP on the wan interface -- better advice would be to keep your devices firmware updated, because yes its quite possible that someone messes up and allows UPnP on the wan interface.

I think his tool could be finding a bunch of OLD **** ;)

9 - Are you saying there are 612k out there open to execute UPnP actions ?!?!

NO! Those are XML description files from UPnP devices being fetched. The fact that you can retrieve the XML description files(although sometimes a problem on Information Disclosure) does not mean you can actually execute UPnP actions. We do not know the exact percentage of devices that are actually executing the actions, but random testing out of those 612k are showing high numbers. Some routers still have firewalls enabled by default, that block most incoming requests on WAN, encasing portmapping attacks to a smaller scope.

Again like I said before I have never been a fan of UPnP, and sure services that you are not using should be disable - this is common sense security. If you not using FTP, you shouldn't be running a ftp server ;) If you not using file sharing - then file sharing should not be enabled, etc..

But I would hope your not trying to scare people into disabling a service they are using and have need of?

Good job budman. I did find that after I posted the post. Didn't update the post yet. Congrads budman on the research. Although I do think upnp is a security risk in general.

I would recommend you be careful as if you change settings on devices that aren't yours, you might be liable for damage by the owner because everyone have different network situations and because your own network settings don't work for everyone. Inexperienced people are told to leave settings alone if they are not sure how to configure it. I haven't heard of any issues with being on default settings.

Although I did just hear Leo leporte tell his radio show listeners a.k.a over a million people to turn of upnp.

[+BudMan MVC]

I agree UPnP can be a security concern 100% - I would never in a million years enable it in current form. I am sorry I am not going to allow any software to open holes in my router without explicit consent from ME! Period, be a way I can auth said software before hand or requests being requested before happening.

But many users without any understanding of what nat is or what a port forward is, or even for that matter what an IP address is, etc. Do find it useful for their devices/software to work through their router.

But I completely agree with you about it being a security concern, and have never ran into a situation where it would be require for something to function. You can always create the rules in your firewall/router for what ports you need by hand.

As to over hyping the issue though, not a fan. The other day someone stated that wpa tkip is no longer secure, BS!! Yes there has been an attack against it for years now, but does not mean it is not secure!! Understanding the details of the concerns is a requirement to weigh concerns vs the benefits of whatever protocol/service you might have use of.

My only concern with your guide was that it seem to state that every single linksys out there was open to this attack.. Its actually quite old news, and seems the number if you ask me is highly over hyped. And for many years now I know for sure that linksys has shipped their routers with upnp off, and would have to be enabled.

But I agree if not using UPnP then sure turn it off, which is common security practice for any service/protocol you not using -- if not needed, then it shouldn't be enabled.