Most home routers 'vulnerable to remote take-over'

Airport Extreme Base Station?

Any idea what Apples Airport Extreme Base Station, which contains a small router, might be set to?

UPNP Just like Windows ME ... a bad idea

Which is why It is the first thing I turn off on all new installs I do.

Belkin firmware

The latest version of firmware for the Belkin FSD7230-4 'wireless' (when it works) router lacks uPnP. I find my current P2P progs like uPnP so I may have to

a) get around to rebuilding spare system

b) remove flash

c) not 'upgrade' firmware

d) all three

Wasn't...

Steve Gibson (http://www.grc.com) slaughtered in the press when he said how inherently unsafe UPNP was ?

How many years ago was that now - seven ?

Refund after today?

There is, of course, no way to know from the boxed item, what it can/can't do to the extent purchasers may need.

So, does a router that cannot have UPnP disabled, mean that it's not 'fit for purpose' and therefore, returnable for refund?

Linksys WRT54GL + DDWRTv23

Anyway, the problem here isn't really the routers, it's the morons who go to infected websites. We still need to stamp out the problem at the root.

RE: Refund After Today

I'd say they can't argue it, unless they want you to pull up a manager and start yelling how they sell insecure hardware in the middle of a PC world :P

You know.. I might go do that on my lunch. I've already got a few Bug-Bears to pick with PC world..

UPnP

I've had it turned off for years, I never like the concept from day one. Never had a need for it, but guess I'm a bit more technical than you average Joe.

Oh and remember people, not every router has the same address.

AEBS and that...

I think it does - Leopard's Back-to-my-Mac relies on uPnP.

Cisco 857's don't do it. As I found out when trying to play with Back-to-my-Mac. Still silver linings and that, eh?

It's me being a bit thick

But in order to set up the forwarding described I have to manually log in to my router with an ID and password. Does the UPnP not require the same authentication when done through this Flash exploit?

ah

Turned mine off...about 2 minutes ago :P

@Colin Wilson

Gibson was slaughtered in the press for being a scare-mongering f*ckwit.

Whilst he - quite rightly - declared UPnP unsafe, he also declared just about every other interface & protocol available to a PC unsafe too.

Besides, turning UPnP off has been considered good practice since it was first introduced.

Thumbs-up for Belkin

My (year-old?) Belkin not only defaults UPnP to Disable but includes a good explanation of the risks of enabling it.

oh good

i wasn't sure, but just checked on my D-Link G604T and it was turned off. I think I probably looked at it and said "what's that? sounds dodgy. Do I need it? no ...."

next ...

UPnP disabled here too

Think that until a couple of days ago it wasn't an issue as my aged BEFSR41 predated UPnP! However just got a WRT54GL and, as others have commented, during initial setup saw the enable/disable UPnP and without thinking disabled it! (Slight minus point was that it was enabled by default)

Also, interested to see that WRT54 also has the useful option of denying access to the settings web pages from the wireless interface which closes another potential (if unlikely in practice) harzard

Mavens!

That's a lovely word which I've seen a lot on El Reg recently. You're all quite the literacy mavens!

if only it was that easy

UPnP is supposed to be standardised, shame that in reality it isnt, every router has its own little foibles and bugs, many just plain dont work at all, or work once then crash. its been hell trying to write code to work smoothly with as many routers as possible. oh and someone said that the port forwarding vanishes when the application does, wrong, the program would have to explicitly send delete rule commands to the router.

The Orange Livebox...

Has UPNP on by default (well mine did)

IP Address

The links on the article seem to imply that it uses the IP address of the router to give it access to UPnP.

So does this mean that if the router has a non default IP address (or is not the default gateway) then its actually going to be hard to get into? How long is it going to take to scan all the IP addresses in my 192.168.x.x address range?

Re:oh good

Daniel, it's OK, I can't get UPnP to work on my D-Link G604T, along with reliable name resolution under Linux and a way of using FTP that doesn't cause it to crash, so I think we're safe.

@Chris Green

I suspect you already know the answer to that and you're just angling for a "most predictable smart-alec post" award.

Of course the router is fit for purpose, it routes traffic from one place to another. I don't see any manufacturers advertising their products as totally secure, they just say "our router will route traffic".

Just because it doesn't say whether uPnP can be disabled on the box doesn't mean you have a legal right to buy it to find out, and then return it for a refund if it doesn't do what you want. Don't get rights mixed up with voluntary returns policies. If you specifically want functionality that isn't mentioned on the box, then you need to ask the reseller and if PC World tell you that uPnP can be disbaled but you then find it can't be, then you have a right to a refund. Of course, trying to get PC World to admit to telling you duff gen is another issue entirely....

Upnp - no go area

I never switch on Upnp. Not only is it a bad practice, but in case you have 'smart' windos machines around, they will autodetect the 'feature' and use it to switch the ISP link on/off. So, say you have 4 machines connected and you close down one, all others loose their connection as well. This is what happened on an older speedtouch icm. windos XP.

It should be switched off by default - always - and I really see no reason for anyone using it at all. The same applies to stupid flash stuff as far as I'm concerned....

Buffalo WHR-G54ES

...came with UPnP enabled... but when (way back then) the service was enabled on my PC it used to use up half my CPU and bandwidth so I turned it off by disabling the service on my PC. Having done that, I figured I didn't need it on my router either and disabled it.

Can't see why people are arguing to be honest. It's cack - turn it off. Make sure when you buy a router that it CAN be turned off.

Gibson

@ ryan

Looking back 7 years ago today, just about every other interface & protocol was insecure. (pre XP... at a time when people were buying Windows ME on new computers! Most users had fat32 file systems!) I wish people had listened, since nobody really did, we have russian computer gangs, massive bot nets, turks defacing websites, chinese pen testing DOD computers, spam, prolific viruses and nigerian royalty.

Useless

UPNP is about as much use as an ashtray on a motorbike. If you're too lazy to learn playschool networking, don't network.

Sometimes this "use stuff even if you don't know how to use stuff" philosophy makes me want to puke.

The fault is prolly a bit of both

Flash for not having the ability to switch off UPNP and UPNP for blind obeissance. You might want to also blame the router manufacturers for allowing an untrustworthy protocol to redirect something as necessary as DNS.