UPNP and recent Belkin routers OK
My Belkin FSD7230-4 wireless router has a firmware setting to disable UPNP connections. UPNP is OFF by default.
So that headline should probably read "*some* home routers are vulnerable..."
Cheers from Canada
Security mavens have uncovered a design flaw in most home routers that allows attackers to remotely control the devices by luring an attached computer to a booby-trapped website. The weakness could allow attackers to redirect victims to fraudulent destinations that masquerade as trusted sites belonging to banks, ecommerce …
on my SMC Barricade router, and now I can no longer control it. Typing 192.168.1.254 in my browser reports a 404. Niether can I telnet or ssh it.
In order to change anythong in the configuration I will have to use a paperclip to clear take it back to it's defaults. If I can remember my ISP user name and password.
UPnP is great. Rather than creating a port forwarding rule (which always leaves a certain port open), it only opens and forwards the port *while running the app which needs it*. Once the app closes, the port is also closed.
I'll rely on NoScript blocking Flash content that's not hosted on websites I explicitly trust, for now.
Gibson was slaughtered in the press for being a scare-mongering f*ckwit.
Whilst he - quite rightly - declared UPnP unsafe, he also declared just about every other interface & protocol available to a PC unsafe too.
Besides, turning UPnP off has been considered good practice since it was first introduced.
Think that until a couple of days ago it wasn't an issue as my aged BEFSR41 predated UPnP! However just got a WRT54GL and, as others have commented, during initial setup saw the enable/disable UPnP and without thinking disabled it! (Slight minus point was that it was enabled by default)
Also, interested to see that WRT54 also has the useful option of denying access to the settings web pages from the wireless interface which closes another potential (if unlikely in practice) harzard
I find it very tenious that the reason that this isn't a security flaw in flash is because flash is behaving the way it was designed too. This is complete rubbish.
It IS a security flaw in flash. I can see no justifiable circumstances why a flash script from the internet should be able to open a page to a private non-public ip address. It shouldn't be allowed.
This post has been deleted by its author
UPnP is supposed to be standardised, shame that in reality it isnt, every router has its own little foibles and bugs, many just plain dont work at all, or work once then crash. its been hell trying to write code to work smoothly with as many routers as possible. oh and someone said that the port forwarding vanishes when the application does, wrong, the program would have to explicitly send delete rule commands to the router.
Because the request is sent by the web browser, the upnp request _is_ from the internal network.
Can't javascript also send these type of requests?
Do other viruses and trojans change your primary DNS? It seems like it'd be a rather useful thing to do, if you're so inclined.
...if you have an Xbox360 and use Live.
I'll guess we'll have to wait for that penguin powered games console and in the meantime keep ourselves amused with board games or something.
Alternatively I might have a look and see if I can create a firewall rule on my router to only allow non-PC's on my network to use UPNP...
The links on the article seem to imply that it uses the IP address of the router to give it access to UPnP.
So does this mean that if the router has a non default IP address (or is not the default gateway) then its actually going to be hard to get into? How long is it going to take to scan all the IP addresses in my 192.168.x.x address range?
"It IS a security flaw in flash. I can see no justifiable circumstances why a flash script from the internet should be able to open a page to a private non-public ip address. It shouldn't be allowed."
What a load of BS. I guess you haven't heard of an Intranet then? How would it be told it's on the internet or an intranet - some corp's have internal servers that -do- have external (firewalled) IP addresses that are accessed from inside the LAN so simply checking it's (local machines) IP wouldn't work.
I suspect you already know the answer to that and you're just angling for a "most predictable smart-alec post" award.
Of course the router is fit for purpose, it routes traffic from one place to another. I don't see any manufacturers advertising their products as totally secure, they just say "our router will route traffic".
Just because it doesn't say whether uPnP can be disabled on the box doesn't mean you have a legal right to buy it to find out, and then return it for a refund if it doesn't do what you want. Don't get rights mixed up with voluntary returns policies. If you specifically want functionality that isn't mentioned on the box, then you need to ask the reseller and if PC World tell you that uPnP can be disbaled but you then find it can't be, then you have a right to a refund. Of course, trying to get PC World to admit to telling you duff gen is another issue entirely....
I never switch on Upnp. Not only is it a bad practice, but in case you have 'smart' windos machines around, they will autodetect the 'feature' and use it to switch the ISP link on/off. So, say you have 4 machines connected and you close down one, all others loose their connection as well. This is what happened on an older speedtouch icm. windos XP.
It should be switched off by default - always - and I really see no reason for anyone using it at all. The same applies to stupid flash stuff as far as I'm concerned....
I see these regular stories on Reg about holes in routers etc. I've got a software firewall, noscript etc. etc. but I read the stuff above about NAT, port forwards, now UPnP, IPtables for routing and all that, and it's clear that my fragmentary knowledge of IP ("four numbers. Dots inbetween") doesn't cut it. I've two books on networking & they taught me nothing - they really were trivial. So, experts, please recommend a solid book or somewhere to start.
BTW I work in IT so I'm only a newbie in networks.
thanks
With google you can find many of these inforrmation resources. What you should start to learn are the fundamentals. Search for 'TCP/IP networking howto' and a lot will show up.
This is a reasonable page to get started:
hxxp://www.pcsupportadvisor.com/TCP_IP_tutorial_page1.htm
I have learned my original TCP/IP knowlegde from a book connected to the Novell 3.12 NOS. It was a very comprehensive book and perfectly clear. It just does not cover all those 'new thingies' like NAT etc.
...came with UPnP enabled... but when (way back then) the service was enabled on my PC it used to use up half my CPU and bandwidth so I turned it off by disabling the service on my PC. Having done that, I figured I didn't need it on my router either and disabled it.
Can't see why people are arguing to be honest. It's cack - turn it off. Make sure when you buy a router that it CAN be turned off.
I wouldn't claim to be an expert, but I recall these two being good.
Data Communications, Computer Networks and Open Systems
F. Halsall
# ISBN-10: 020142293X
# ISBN-13: 978-0201422931
Computer Networks
Andrew S. Tanenbaum
# ISBN-10: 0130384887
# ISBN-13: 978-0130384881
There's a lot of overlap there, and I'm not sure they cover upnp which is relatively recent.
Since I know that only a very few ports are required for the stuff I use and they are all on one PC on my network I've never used UPnP. Mind you, as I have a linksys router I binned the standard firmware and moved to Tomato - much better than the standard stuff and has UPnP off by default.
@ ryan
Looking back 7 years ago today, just about every other interface & protocol was insecure. (pre XP... at a time when people were buying Windows ME on new computers! Most users had fat32 file systems!) I wish people had listened, since nobody really did, we have russian computer gangs, massive bot nets, turks defacing websites, chinese pen testing DOD computers, spam, prolific viruses and nigerian royalty.
...if you don't go to dodgy websites in the first place where these people are likely to have put the crafted flash, then you haven't got a problem.
Again - common sense and having half a brain prevails.
I'm leaving my UPnP on, thankyou very much, even if I don't have many applications that use it.