What is UPnP and is it Safe?

What is UPnP?

A network protocol called Universal Plug and Play, or UPnP, allows apps and devices to connect by automatically opening and closing ports. Every step necessary for devices on the same network to identify and communicate with one another is automated by the protocol. The main objective of UPnP is to provide users with an automated way to install and connect new gear to a local network. Smart TVs, routers, printers, cellphones, and numerous more devices are commonly using UPnP.

Use Cases of UPnP

Rapidly connecting various apps and devices inside the same network is essential given the development of technology and its current interconnectedness. UPnP is necessary to achieve smooth device interactions within the local network.

1. Remote Device Control: UPnP is mostly used to enable remote control of devices that support it from a computer or smartphone. You may use a smartphone to operate any media player or smart TV that supports UPnP. This would enable simple device control and access from any network location.
2. Home Automation: A variety of smart home gadgets may easily communicate and work together with the help of UPnP. For instance, UPnP can be used to link your smart thermostat to your smart lighting system in a smart home environment, enabling automatic lighting adjustments based on temperature changes.
3. Media Streaming: Without the need for complicated settings, UPnP enables the streaming of images, music, movies, and many other types of data across UPnP-enabled services. Video streaming has eroded the market for cable TV because of internet TV devices like Apple TV. These devices easily connect to your TV because of UPnP.
4. Internet of Things(IoT): Whether in an office setting or a smart home, IoT devices function best when they are connected to other surrounding devices. Every device can use UPnP without any problems. However, a lot of concerns accompany the convenience of connected IoT devices.
5. Gaming: To play and stream online games, a gaming console can be connected to a game server using UPnP. To enable instant gameplay, UPnP swiftly connects the console to your network. Security and performance are critical for optimal gaming.

How does UPnP Work?

Through the seamless connection and interaction of devices, UPnP is intended to function in a way that improves the efficiency and convenience of users’ lives. In many instances, UPnP appears to be quite simple to use. All you have to do is bring a device home, connect it to the local network, and it will immediately connect to the rest of your gadgets.

The procedure begins when a device connects to a network. To automatically open and close ports, UPnP makes use of four widely used networking standards: TCP/IP, HTTP, XML, and SOAP. In the UPnP client-server architecture, seek for UPnP servers, or devices, which are control points or clients. The primary UPnP steps are listed below:

• Addressing: The procedure begins with a new device, which needs a distinct IP address to join the network. The UPnP either requests an IP address for the new device from a DHCP (Dynamic Host Configuration Protocol) server or permits the device to self-assess an IP address using a process known as AutoIP in the case that no DHCP server is available. One should understand that not every Internet of Things device needs an IP address.
• Discovery: When the device employs the Simple Service Discovery Protocol (SSDPP) to shield its information from network control points, the discovery process starts. Messages including the new device’s device type, identifier, and network position are sent. The network control point can actively listen to the devices of interest for SSDP messages based on UPnP configuration.
• Announcement: When UPnP-enabled devices receive “Discovery” messages across the port, they respond with their own “Announcement.” It will be a nice answer, like “Hello!” How may I assist you? I’m present.
• Description: Before engaging with the new hardware, the network needs to become aware of its capabilities when a control point finds it. A “description” of each device is provided, which covers its features, capabilities, and services in depth. This includes vendor information, model name, serial number, and a list of any services offered, together with presentation URLs for websites particular to each vendor (optional). The URLs for control, eventing, and service description are listed in a Device Description document that is created by the network once the device transmits these messages in XML format. The instructions that the service can reply to and the parameters for each operation are also included in each service description.
• Connection and Control: Following their discovery of each other’s capabilities, UPnP establishes the links required for data sharing and mutual control. Additionally, these control messages utilize the Simple Object Access Protocol (SOAP) and are in XML format. For instance, you can easily display photographs from your smartphone on your smart TV, and you can use your smartphone to manage the TV’s playing or volume remotely.
• Notification: Once connected, devices notify one another of events or changes using UPnP. Your computer may receive a UPnP message, for instance, informing you that your printer needs a paper refill when it runs out of paper. A control point can register as a service to receive alerts for changes in device status when an event occurs. This protocol is called General Event Notification Architecture (GENA) which is part of UPN.
• Adaptability: The capacity of UPnP to adjust to network changes is another outstanding feature. UPnP makes sure that all devices are informed of changes, including the addition of new devices or the departure of existing ones, and adjust their configurations appropriately.

Why is UPnP Still a Security Risk?

The Universal Plug and Play (UPnP) standard makes it easier to connect devices. For the majority of devices, UPnP does not require authentication or authorization, presuming that the devices attempting to join are reliable and originate from your local network. This implies that backdoors to your network may be discovered by hackers. However, because of the risks involved and the possibility of being exploited by bad actors, its security implications are still relevant. UPnP use can result in a number of security risks.

Unauthorized Access

Malicious actors can obtain authorized access to devices on your local network through UPnP. An attacker may be able to take control of a device, obtain private information, or carry out harmful activities if they find vulnerable UPnP-enabled devices.

Data Leakage

Although UPnP makes it easier for devices to share data, sharing sensitive information without the appropriate encryption or authentication might pose privacy problems. Data leakage or unlawful disclosure may result from unauthorized devices obtaining access to shared data.

Port Forwarding

Connected devices on a local network to those on other private or public networks through the internet is called port forwarding or port mapping. With the use of port forwarding, a router’s public wide area network, and its local area network devices can form an association map. For devices on the local network, UPnP can automatically configure port forwarding on the router to provide external access. Although this could be helpful for some uses, it can also unintentionally expose gadgets to the internet, which makes them vulnerable to hacking efforts.

Malware Propagation

Through UPnP, viruses, and malware can propagate throughout a local network. Should one device be compromised, the malware may utilize UPnP to find and infect additional susceptible devices on the network.

Inherent Risk Associated

There are risks associated with UPnP because it is an autonomous and permissive networking technology. Firewalls can be used to construct gateways by connecting internal ports to the router’s exterior, which is one potential method of exploitation. The DNS server settings are changed to load fake websites instead of real ones.

A few Examples of UPnP CyberAttacks

CallStranger Vulnerability(2020): CallStranger, a recently discovered vulnerability (CVE-2020-12695), impacts billions of devices and can be used for a variety of malicious purposes, such as data exfiltration and DDoS operations. The reason behind CallStranger is a vulnerability in the UPnP SUBSCRIBE function that an attacker could use to cause an SSRF-like vulnerability.

Pinkslipbot Attack: QBot, QuackBot, and QakBot are other names for this attack, which is primarily utilized in banking attacks. It is a trojan attack that is still operational in many situations. The Pinkslipbot uses UPnP to infect victims and hides its actions so it can go unnoticed. Keyloggers are installed to steal passwords and sensitive data, and ransomware is then deployed by monitoring activity.

Enabling/Disabling UPnP

Although UPnP capabilities are useful, it is unclear if turning it on or off is safer or better. If the majority of the devices on your network depend on UPnP to operate and you are prepared to put in the time required to maintain network security (frequent updates, patches, and strong security measures), turning on UPnP might be advantageous. However, it would be wiser to leave UPnP disabled if you have significant security concerns or would like to control what modifications are made to your network settings. When choosing a UPnP solution, always consider the trade-offs between security and convenience.

If you want to use UPnP enabled, you also need to improve your security. While UPnP is not inherently dangerous, it can result in significant security flaws if used incorrectly.

How UPnP Can Be Exploited

Typically, when combined with a powerful firewall, routers might expose your network to outside attacks. Yet, UPnP has the potential to introduce security flaws that allow hackers to take advantage of network weaknesses. The methods listed below are how hackers can take advantage of UPnP:

1. It starts with a phishing scam, which is an attack that infects a device with malware.
2. The compromised device is then connected to a network using UPnP, which grants hackers access to the network.
3. Hackers can install whatever program they want after gaining access to the network through a backdoor that goes months without being noticed.
4. When a hacker gains access to a network, they can steal confidential data, encrypt data, demand a ransom, take over the victim’s machine to conduct a denial-of-service attack or compromise a victim’s website.

The key to using UPnP securely and successfully is understanding the possible hazards and taking proactive steps to reduce them. Monitoring vulnerabilities, updating network devices and infrastructure regularly, and closely following UPnP security guidelines are all part of this. Regularly updating your network devices such as routers, switches, firewalls, and Internet of Things devices is one way to effectively control the risks associated with UPnP. Vulnerability monitoring also provides the knowledge and abilities required to identify, understand, and address any security risks.

How Lepide Helps

To find hidden weaknesses that could be exploited to facilitate breaches, Lepide’s attack surface management solutions monitor both internal and external attack surfaces. Sometimes, an attacker can enter your network and wreak havoc if you don’t use UPnP. You can monitor what the attackers are initially aiming for—the data. Track data interactions, spot irregularities, and report on changes made to important files and folders using Lepide’s Data Security Platform.

Lepide helps businesses reduce their threat surface, detect threats to sensitive data, and manage compliance more effectively.

Ready to experience it for yourself? Schedule a personalized demo with one of our experts today!