Broadband Tech > Security > Security > Security Flaws in Universal Plug-n-Play: Unplug, Don't Play

Security Flaws in Universal Plug-n-Play: Unplug, Don't Play

»www.grc.com/unpnp/unpnp.htm. Been using this for years.

reply to Cabal
UPnP has been disabled for years in services.msc. I've never had a problem with a device failing to work.

Also turned off in any router too - some ship with it on by default.

Yep. I think it's on by default in pretty much every router. The funny thing is, I can't think of a reason why it should even be there.
--
"I fear the day that technology will surpass our human interaction. The world will have a generation of idiots." ~ Albert Einstein

reply to Cabal
This borrows heavily on what you already posted.

Researchers Find Serious Security Flaws in Universal Plug and Play

• »www.wired.com/threatlevel/2013/0···y-flaws/

»twitter.com/KimZetter/status/296···95177728

reply to Juggernaut

I see. I'm not a gamer, so it's something I've not encountered. Thanks.

reply to Juggernaut

Of course, as I build my own boxes. I set up my mobo's by hand to tweak the performance, and eliminate this kind of stuff.

reply to Juggernaut

Bud, as I've stated, I've never needed it with any prog or device yet. And, I do practice safe hex.

Good. I do the same.

Example of just two usages:
* dynamic port assignment - torrent app. New (random) port is forwarded on the router every time it starts. Port is immediately closed when it's done.
* almost static port assignment (I may change it time to time) - SIP server, FreeSWITCH. Achieved convenience is - I change it in one place (SIP server's configuration) only.

Again, IT life is not simple like black and white. It may bring you benefits and desired automation, but one has to learn how to use it safely (because there are always people, who want to exploit everything at their disposal against gullible and naive). Another controversial for some example - I use actively ActiveX without security problems. Or, JavaScript is always on, whatever site I visit (Flash, on the other hand, can be started on my demand only and BTW, on all my computers its elevated privileges are removed, search this forum for my posts how to do it). And at the same time, I don't run any AV products all the time. I simply don't need them, because I do what you're doing -- practice safe hex

The main problem INHO sits on a chair and clicks on any links or buttons it sees...
--
Keep it simple, it'll become complex by itself...

The 'Zombie Surfer'! *Gasp*

reply to Juggernaut
I ran the scan myself, I just inputted junk data into the program and it accepted it.

reply to Cabal
Haven't used what could be classed as a "home router" in a long time... what's UPNP? [/sarcasm]

Good read otherwise.

Regards

reply to Cabal
Their application to determine if you have these "flaws" requires full name, physical address, phone number, email address etc. in order to "register" your free program. You cannot use the "free" program until you cough up the personal information.

So, I deleted the program. Why didn't you warn us? I would not have downloaded this crap if you had warned us!

I had to enable UPnP in my router many years ago. It is still enabled and will remain so.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

reply to Cabal
Is there a remote test to determine if your Upnp implementation is vulnerable?

Everything posted so far here requires installing test software on a windows PC. None of them run on Mac. I have an airport extreme (Time Capsule) router and run Upnp for Vonage and for back to my Mac.

I'm not seeing any Apple products, the ABES, TC, etc on any of the hardware lists unless I am missing something. I'm assuming because Apple uses NAT-PMP.

reply to Mele20
For the registration, as mentioned previously you can enter anything in there. I just put x x x x x on down.