Routers have once again become a potential source of cyber threats following the disclosure of new security flaws in UPnP earlier this month. UPnP, or Universal Plug and Play, is a widely used networking protocol in home routers, designed to automatically detect devices on a network and enable communication between them.
According to researchers, these vulnerabilities could allow an attack to succeed in less than 20 seconds, putting any router running UPnP at risk.
Filet-o-Firewall
The newly discovered flaws have been dubbed “Filet-o-Firewall.” While the name may sound amusing, the consequences are serious. Threatpost reports that the issue combines multiple weaknesses in routing protocols and browsers, which together can expose devices behind a firewall directly to the Internet.
The attack works via a specially crafted website that can trigger users’ Chrome or Firefox browsers with JavaScript enabled to send arbitrary UPnP requests to their firewall. This may reveal one or more devices behind the firewall. While extracting valuable data requires additional effort, experienced attackers can achieve this relatively easily.
Getting users to visit a malicious website with JavaScript enabled is also relatively simple for attackers.
This vulnerability is described as “logic-based,” meaning it doesn’t stem from a single code flaw. Instead, it results from a combination of different weaknesses aimed at the UPnP service on home routers.
Important advisory from CERT
CERT’s advisory notes that many home routers implementing UPnP fail to sufficiently randomize UUIDs in control URLs or enforce other UPnP security measures.
Originally, the UPnP protocol was created under the assumption that devices would operate on a private network, accessible only to authorized users, and therefore did not include authentication by default.
This proved problematic. Although a UPnP Security standard was later introduced, adoption has been limited due to “cumbersome user experience” and lack of industry support for advanced features like Public Key Infrastructure.
As CERT explains, “Poor adoption of the security standard opens opportunities for attackers with private network access to guess UPnP Control URLs. If successful, they could use UPnP to modify router configurations, open ports, or enable services that grant further network access.”
Many manufacturers use standardized UPnP Control URL names, making a correct guess more likely. Successful attacks could open firewall ports and execute administrative commands on routers.
History of UPnP issues
This is not the first time UPnP has caused security concerns. In 2013, a study of 80 million UPnP-enabled devices revealed that up to 50 million were vulnerable to various attacks, highlighting inherent security shortcomings.
Mitigation strategies
Currently, no complete fix exists. Workarounds include disabling UPnP entirely unless it is absolutely needed and randomizing UPnP UUIDs and URLs where possible.
Because home routers are sometimes used in small business or home office setups, it’s important to address these vulnerabilities and apply the recommended mitigations.
A list of affected devices can be found here. It is also advisable to use additional protection tools, such as ImgConverter Small Office Security, to secure your network against potential attacks.