«
»

If You Care About Security On Your Home Network, Turn Off UPnP

UPnP stands for Universal Plug And Play. The idea behind this technology is that networked devices such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other’s presence on the network and establish functional network services for data sharing. It sounds great because it takes some of the complexity setting up devices on your home network.

It’s also a great vehicle for hackers to enlist your devices to pwn others. And has been for years. And when I say years, I mean that security issues have been found in UPnP going back into the previous decade.

Researchers at cyber security firm Imperva have posted a paper that describes how UPnP can be used to enlist UPnP enabled routers that may be badly secured to execute a pretty crafty distributed denial of service attack. I say crafty because the attack that the researchers describe can evade some defense mechanisms to mitigate at distributed denial of service attack. What’s concerning about this is that the researchers found 1.3 million devices that on the surface could be exploited for such an attack. That’s kind of scary.

My advice? If you have a router which supports UPnP, disable the protocol immediately. I haven’t yet stumbled upon a router which does not permit disabling UPnP, so as far as I am concerned, that should be a no brainer to help you to avoid having your router enlisted for mass pwnage.

This entry was posted on May 16, 2018 at 8:34 am and is filed under Commentary with tags . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

5 Responses to “If You Care About Security On Your Home Network, Turn Off UPnP”

  1. Hackers Are Pwning Chromecasts To Broadcast Security Risks About Chromecast And UPnP | The IT Nerd Says:
    January 3, 2019 at 9:00 am

    […] Plug and Play which is designed to make devices work easily with each other. But I have been on record as saying that UPnP should just be disabled on routers by default as it is a security nightmare […]

    Reply
  2. Review: Linksys MR8300 AC2200 Mesh WiFi Router: | The IT Nerd Says:
    January 15, 2019 at 8:17 am

    […] tried to find the option to turn off UPnP or Universal Plug and Play in the app. I do that because it is a huge security risk for your home network. But I could not find that option in the Linksys app and I had to log into the router using a […]

    Reply
  3. Replacing My Netgear Router With The ASUS ZenWiFi (CT8) | The IT Nerd Says:
    June 24, 2020 at 11:44 am

    […] I disable UPnP for the reasons I outlined here. […]

    Reply
  4. How To Secure Your QNAP NAS (Or Any Other NAS For That Matter) | The IT Nerd Says:
    September 10, 2022 at 8:25 am

    […] issues with uPnP make that a very obvious attack vector for hackers. I wrote about those risks here if you want to go down the rabbit hole. And even if you don’t have a QNAP NAS, you should […]

    Reply
  5. Upgrading My Home Network To Fully Leverage My Fibre Internet Connection | The IT Nerd Says:
    January 30, 2025 at 9:40 am

    […] I disabled UPnP for the reasons I outlined here. […]

    Reply

Leave a Reply

Discover more from The IT Nerd

Subscribe now to keep reading and get access to the full archive.

Continue reading