what happens if I disable UPnP?

[horizonbrave]

Hi,
I read everywhere that it's a big secuiry hazard!
So please if disable will I be still able to use:
- my email program
- torrent client
- skype (or other communicaion app)
- gaming console (nintentdo or sony)
- nzbget
- other programs that I might have forgotten
?

If not, is it all about finding what ports these programs use and then port-forward them?
Is there another elegant solution to that will let me keep upnp switched on with the devices I trust? (but it still seems dangerous to me!).

Thanks for input

 

[ColinTaylor]

Personally I leave it enabled because I regard the risk as practically non-existent in my particular environment and it makes things easier for me. I wouldn't consider enabling it in a business environment or on a network that I didn't completely control.

Most of UPnP's bad reputation comes from an issue many years ago where some routers were exposing the service to the WAN. Asus routers never did that AFAIK. The other issue people worry about is the ability of a client to forward ports to a client other than itself. UPnP's "Secure mode" fixed this problem.

Without UPnP enabled things like torrents and multiplayer gaming won't work properly unless you manually identify and forward all the ports required. This ends up being a bigger security risk IMHO because now you have to open up all ports that you might need and they're left open permanently rather than just when they're needed (and if the client's IP address changes that's another problem).

Some people don't use applications that need port forwarding so there's no reason for them to have it enabled. Other's just like to micromanage everything on their network.

You can always check what port forwarding rules are active by looking on the router at System Log > Port Forwarding.

 

[RMerlin]

Torrent: you will have to manually forward a port used by your torrent client (meaning if the client uses a random port, you will have to settle on a specific one).

Game consoles might have issues if you play online games - you will have to see the documentation of the games you play.

Skype also forwards ports using UPNP however I'm unsure what's the impact of not using UPNP (since I know Skype can work without it).

 

[Squall Leonhart]

These units are not affected by the upnp exploit

 

[agilani]

These units are not affected by the upnp exploit

upnp is the exploit

Basically upnp allows devices on your network to open incoming connections to your home to allow the device to function correctly.

Allow incoming camera connections
Allow incoming gaming connections
Allow incoming plex or media connections
Did you know that minecraft opens up upnp ports to the outside (i sure didn't and was pretty pissed about it)


and the list goes on....

One could argue that most of the devices have not been really hardened or tested and/or most of these devices have exploits.

Disabling upnp may decrease the security threat...but will break a lot of apps/devices native functionality.


Best bet would be to look a the forwarding table on your router and see which devices are already using incoming connections and decide if you want to leave it.

If you decide to turn it off, you can always enable manual port forwarding for statically addressed devices. You'd need to find which ports the device needs. The xbox for example needed a whole bunch of them.

 

[Squall Leonhart]

no it isn't.

 

[hasarouter]

I have upnp off, so far chromecast and sonos work without issues, though I remember reading online chromecast requires upnp

Skype works fine too, as do messengers, eg telegram.

 

[agilani]

no it isn't.

There's no debate about it really, upnp is fundamentally insecure. If sticking your head in the sand makes you feel better. Well <shrug> no skin off my back.

https://www.howtogeek.com/122487/htg-explains-is-upnp-a-security-risk/

 

[sm00thpapa]

Been using UPNP on for over 10 years with no security issues. With or with out if some one wants to hack you they will.

 

[sfx2000]

There's no debate about it really, upnp is fundamentally insecure. If sticking your head in the sand makes you feel better. Well <shrug> no skin off my back.

Most of the security issues around uPNP are due to implementation, not the protocol itself...

 

[sfx2000]

Without UPnP enabled things like torrents and multiplayer gaming won't work properly unless you manually identify and forward all the ports required. This ends up being a bigger security risk IMHO because now you have to open up all ports that you might need and they're left open permanently rather than just when they're needed (and if the client's IP address changes that's another problem).

Some people don't use applications that need port forwarding so there's no reason for them to have it enabled. Other's just like to micromanage everything on their network.

You can always check what port forwarding rules are active by looking on the router at System Log > Port Forwarding.

Yep...

static port forwards keep the port open all the time, uPNP/NAT-PMP only keep the ports open as long as needed...

 

[umarmung]

UPnP automatically pokes holes in your firewall so that you don't have to do it manually.

For a given residential user, it's just the flick of a checkbox in your router's interface. So, just test it. The default should be disabled due to extremely strong security concerns from bugs in common implementations and the loss of control over which services are doing it.

You may find the only practical improvement in poking holes in your firewall at all comes from having an open port for Bittorrent, which can work without such a port but is often much faster with it.

So, if all you want to do is open one port to one Bittorrent machine, disabling UPnP is more than worth it, if you know how to use router and client networking interfaces to manually port forward.

If you really know what you are doing and have the equipment for it, you can create VLAN networks for receiving UPnP services and isolate these clients from the rest of your devices. But this is way beyond typical consumers and you would need a SOHO/enterprise or custom firmware router to do it, e.g. Ubiquiti, pfsense, Peplink, Cisco, Mikrotik, DD-WRT.

 

[agilani]

Most of the security issues around uPNP are due to implementation, not the protocol itself...

I will respectfully disagree. When guests come over, do you give them keys to come and go as they please to your house? Are you prepared for the big party they throw at your house while you are at work? Did they have the foresight to lock the door so your pets don't get out? Did they close the door to make sure people don't just wander in? While the guests threw a big party, did they supervise everything/everyone to make sure the party attendees didn't go into other rooms in the house and your drawers?

upnp is fundamentally insecure.

In my house over eight devices regularly open up holes to the outside. Many of these devices have been proven to be insecure and have been hacked publicly. Why for the love of everything good, would i want to allow them to have a party in my house?

and i have removed almost all IOT wifi devices form my network and switched to zwave/zigbee devices.

With upnp, the security of the worst device is in effect the security of your home network.

Just to be clear though, disabling upnp doesn't miraculously fix security. But disabling it doesn't allow every device that comes on your home network to blatantly control the front door either.

The protocol has no autnentication, authorization, and was developed with complete disregard for any basic security protocols.

Best thing is to look at the port forwarding table and see what is using upnp in your network and if you are comfortable with it.

http://192.168.1.1/Main_IPTStatus_Content.asp

 

[RMerlin]

In my house over eight devices regularly open up holes to the outside. Many of these devices have been proven to be insecure and have been hacked publicly. Why for the love of everything good, would i want to allow them to have a party in my house?

A proper UPNP implementation (like supported by miniupnpd) would only allow a device to forward a port to itself. In that regard, that visitor device is no more a security risk if it forward a UPNP port than it already is by being able to establish an outbound connection anywhere outside of your network. Keep in mind that an outbound connection can also receive inbound data, just as if the port had been forwarded.

That's why @sfx2000 says the issue lies in the implementation, not in UPNP itself. Too many UPNP implementations are flawed, allowing for instance a client to forward a port to another IP address within your LAN. Those are the real problems.

 

[RMerlin]

It's important to understand that UPNP does not open a hole in your firewall. It forwards a specific port to a specific LAN IP. In a properly secured UPnP implementation, that IP can only be the same as the device asking for the forward, so it cannot compromise other devices within your LAN any further than they already can be by having a foreign client within your LAN.

 

[RMerlin]

This is what happens with an Asuswrt router when trying to forward a port to someone else within my LAN:

merlin@ubuntu-dev:~$ upnpc -a 192.168.10.199 9999 9999 tcp 3600
upnpc : miniupnpc library test client. (c) 2005-2014 Thomas Bernard
Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://192.168.10.1:47639/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.10.1:47639/ctl/IPConn
Local LAN ip address : 192.168.10.106
ExternalIPAddress = 23.x.y.z
AddPortMapping(9999, 9999, 192.168.10.199) failed with code 718 (ConflictInMappingEntry)
GetSpecificPortMappingEntry() failed with code 714 (NoSuchEntryInArray)

Only a forward to myself is allowed:

merlin@ubuntu-dev:~$ upnpc -a 192.168.10.106 9999 9999 tcp 3600
upnpc : miniupnpc library test client. (c) 2005-2014 Thomas Bernard
Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://192.168.10.1:47639/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.10.1:47639/ctl/IPConn
Local LAN ip address : 192.168.10.106
ExternalIPAddress = 23.x.y.z
InternalIP:Port = 192.168.10.106:9999
external 23.x.y.z:9999 TCP is redirected to internal 192.168.10.106:9999 (duration=3600)

 

[OzarkEdge]

A proper UPNP implementation (like supported by miniupnpd) would only allow a device to forward a port to itself. In that regard, that visitor device is no more a security risk if it forward a UPNP port than it already is by being able to establish an outbound connection anywhere outside of your network. Keep in mind that an outbound connection can also receive inbound data, just as if the port had been forwarded.

That's why @sfx2000 says the issue lies in the implementation, not in UPNP itself. Too many UPNP implementations are flawed, allowing for instance a client to forward a port to another IP address within your LAN. Those are the real problems.

Do you mean the UPnP implementation by the router or by the host device on the LAN?

And, is UPnP enabled by default in Asuswrt-Merlin? I suspect so.

OE

 

[RMerlin]

Do you mean the UPnP implementation by the router or by the host device on the LAN?

By the router.

And, is UPnP enabled by default in Asuswrt-Merlin? I suspect so.

Yes.

 

[sfx2000]

Only a forward to myself is allowed:

exactly - proper implementation, even with miniupnpd generally works -- Even on the FreeBSD based pfSense...

sfx@blaster:~$ upnpc -a 192.168.1.20 9999 9999 tcp 3600
upnpc : miniupnpc library test client. (c) 2005-2014 Thomas Bernard
Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://192.168.1.1:2189/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.1.1:2189/ctl/IPConn
Local LAN ip address : 192.168.1.20
ExternalIPAddress = 68.a.b.c
InternalIP:Port = 192.168.1.20:9999
external 68.a.b.c:9999 TCP is redirected to internal 192.168.1.20:9999 (duration=3600)

 

[sfx2000]

A proper UPNP implementation (like supported by miniupnpd) would only allow a device to forward a port to itself. In that regard, that visitor device is no more a security risk if it forward a UPNP port than it already is by being able to establish an outbound connection anywhere outside of your network. Keep in mind that an outbound connection can also receive inbound data, just as if the port had been forwarded.

Exactly - and then it's the device that is attempting to port forward, and security thereof - and that's out of the scope of uPNP

I get it, there are folks that do worry about "automated" actions that change firewall rules - whether it's uPNP, or scripts like Fail2Ban or sshguard, just naming a couple...

If you have a device, whether it is a gaming console, web camera, thermostat, doorbell, or even a coffee pot - one must look at the security on that endpoint as well...

SPI firewalls and NAT do a lot of good things, and uPNP can help with the user experience, but still - one has to do some level of digital hygiene... OS's might be hardened to some degree (some more than others), but it's also the applications that run on the OS/Device...

Practice safe hex at the end of the day...