Sunday, October 23, 2016

Not UPnP

If you don't read Krebs on Security you should. Recently his website was attacked by the largest Distributed Denial of Service (DDoS) attack ever seen. Investigation showed that it was powered by infected Internet of Things (IoT) devices, mostly media devices.

Subsequently he wrote a post on "Who Makes the IoT Things Under Attack?"

To me the key point in this post was:
...many IoT devices will use a technology called Universal Plug and Play (UPnP) that will automatically open specific virtual portholes or “ports,” essentially poking a hole in the router’s shield for that device that allows it to be communicated with from the wider Internet.
If you don't know what Universal Plug and Play (UPnP) is go read the wikipedia article here.

But that article is long and dry. The problem with UPnP is finally described here:
NAT traversal One solution for NAT traversal, called the Internet Gateway Device Protocol (IGD Protocol), is implemented via UPnP. Many routers and firewalls expose themselves as Internet Gateway Devices, allowing any local UPnP control point to perform a variety of actions, including retrieving the external IP address of the device, enumerate existing port mappings, and add or remove port mappings. By adding a port mapping, a UPnP controller behind the IGD can enable traversal of the IGD from an external address to an internal client.
Now read that again.
Many routers and firewalls ... allowing any local UPnP control point to ... add or remove port mappings.
Do you realize how BAD that is?

But the solution is easy. In your router just disable UPnP.

Do it NOW.

Update: Listen to Security Now 583

Update 2: I told you - Connections are allowed into the device from the outside world via UPnP.

No comments: