dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
6898
share rss forum feed


Cabal
Premium
join:2007-01-21
Reviews:
·Suddenlink

3 recommendations

Security Flaws in Universal Plug-n-Play: Unplug, Don't Play



Full story: »community.rapid7.com/community/i···ont-play
--
If you can't open it, you don't own it.



jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24

3 recommendations

»www.grc.com/unpnp/unpnp.htm. Been using this for years.



Juggernaut
Irreverent or irrelevant?
Premium
join:2006-09-05
Kelowna, BC
kudos:2

3 recommendations

reply to Cabal

UPnP has been disabled for years in services.msc. I've never had a problem with a device failing to work.



norwegian
Premium
join:2005-02-15
Outback

2 recommendations

Also turned off in any router too - some ship with it on by default.



Juggernaut
Irreverent or irrelevant?
Premium
join:2006-09-05
Kelowna, BC
kudos:2

1 recommendation

Yep. I think it's on by default in pretty much every router. The funny thing is, I can't think of a reason why it should even be there.
--
"I fear the day that technology will surpass our human interaction. The world will have a generation of idiots." ~ Albert Einstein



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to Cabal

This borrows heavily on what you already posted.

Researchers Find Serious Security Flaws in Universal Plug and Play

• »www.wired.com/threatlevel/2013/0···y-flaws/

»twitter.com/KimZetter/status/296···95177728



DigitalXeron
There is a lack of sanity

join:2003-12-17
Hamilton, ON

1 recommendation

reply to Juggernaut

said by Juggernaut:

Yep. I think it's on by default in pretty much every router. The funny thing is, I can't think of a reason why it should even be there.

In large, end users can be lazy at times and UPnP facilitates that laziness as people don't have to configure their NAT routers to have a new program.

Allegedly it's supposed to be so applications like games and whatnot can automatically set up port forwarding. Unfortunately some program vendors set their programs up to dynamically allocate ports, rather than statically set them so you can set up the port forwarding once manually and leave it.
--
--Kradorex Xeron
[an error occurred while processing this signature]


Juggernaut
Irreverent or irrelevant?
Premium
join:2006-09-05
Kelowna, BC
kudos:2

I see. I'm not a gamer, so it's something I've not encountered. Thanks.



services

@anonymouse.org
reply to Juggernaut

said by Juggernaut:

Yep. I think it's on by default in pretty much every router. The funny thing is, I can't think of a reason why it should even be there.

I think its so people using certain services can get out to the net, like torrent or a game or program instead of having to set port forwarding. Portforward = port always open, upnp only opens the port when you launch an app. Correct me if im wrong, if I am I will also disable it on my router and see how it plays on the net with my apps!

Side note , if i remember correctly some mobos even have upnp in the bios, do you disable that too?


Juggernaut
Irreverent or irrelevant?
Premium
join:2006-09-05
Kelowna, BC
kudos:2

Of course, as I build my own boxes. I set up my mobo's by hand to tweak the performance, and eliminate this kind of stuff.


OZO
Premium
join:2003-01-17
kudos:2
reply to Juggernaut

said by Juggernaut:

The funny thing is, I can't think of a reason why it should even be there.

What is even funnier - I'm using it for the last decade and never had any security problem with it

As with everything in this life there is a danger and there is a usefulness. Knife is an example. I'm sure that many. many people cut their fingers with knives every day. Nevertheless, they still use it... I think the same is true about UPnP. Take your time and get a knowledge how to use it safely and then ... use it safely
--
Keep it simple, it'll become complex by itself...


Juggernaut
Irreverent or irrelevant?
Premium
join:2006-09-05
Kelowna, BC
kudos:2

Bud, as I've stated, I've never needed it with any prog or device yet. And, I do practice safe hex.


OZO
Premium
join:2003-01-17
kudos:2

Good. I do the same.

Example of just two usages:
* dynamic port assignment - torrent app. New (random) port is forwarded on the router every time it starts. Port is immediately closed when it's done.
* almost static port assignment (I may change it time to time) - SIP server, FreeSWITCH. Achieved convenience is - I change it in one place (SIP server's configuration) only.

Again, IT life is not simple like black and white. It may bring you benefits and desired automation, but one has to learn how to use it safely (because there are always people, who want to exploit everything at their disposal against gullible and naive). Another controversial for some example - I use actively ActiveX without security problems. Or, JavaScript is always on, whatever site I visit (Flash, on the other hand, can be started on my demand only and BTW, on all my computers its elevated privileges are removed, search this forum for my posts how to do it). And at the same time, I don't run any AV products all the time. I simply don't need them, because I do what you're doing -- practice safe hex

The main problem INHO sits on a chair and clicks on any links or buttons it sees...
--
Keep it simple, it'll become complex by itself...



Juggernaut
Irreverent or irrelevant?
Premium
join:2006-09-05
Kelowna, BC
kudos:2

The 'Zombie Surfer'! *Gasp*



trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2
reply to Juggernaut

I ran the scan myself, I just inputted junk data into the program and it accepted it.


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to Cabal

Haven't used what could be classed as a "home router" in a long time... what's UPNP? [/sarcasm]

Good read otherwise.

Regards


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

1 recommendation

reply to Cabal

Their application to determine if you have these "flaws" requires full name, physical address, phone number, email address etc. in order to "register" your free program. You cannot use the "free" program until you cough up the personal information.

So, I deleted the program. Why didn't you warn us? I would not have downloaded this crap if you had warned us!

I had to enable UPnP in my router many years ago. It is still enabled and will remain so.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Da Bronx
Reviews:
·Optimum Online
·Clearwire Wireless
reply to Cabal

Is there a remote test to determine if your Upnp implementation is vulnerable?

Everything posted so far here requires installing test software on a windows PC. None of them run on Mac. I have an airport extreme (Time Capsule) router and run Upnp for Vonage and for back to my Mac.



skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2

4 edits

I'm not seeing any Apple products, the ABES, TC, etc on any of the hardware lists unless I am missing something. I'm assuming because Apple uses NAT-PMP.



skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2
reply to Mele20

For the registration, as mentioned previously you can enter anything in there. I just put x x x x x on down.



TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Da Bronx
Reviews:
·Optimum Online
·Clearwire Wireless
reply to skeechan

said by skeechan:

I'm not seeing any Apple products, the ABES, TC, etc on any of the hardware lists unless I am missing something.

Thanks. What hardware vulnerability "lists" are you referring to?


skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2

The ones linked to in the whitepaper.


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to skeechan

Click for full size
said by skeechan:

For the registration, as mentioned previously you can enter anything in there. I just put x x x x x on down.

I didn't think it would allow xxxxx. Thanks.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1

2 recommendations

reply to jaykaykay

said by jaykaykay:

»www.grc.com/unpnp/unpnp.htm. Been using this for years.

decades almost
--
* seek help if having trouble coping
--Standard disclaimers apply.--


norwegian
Premium
join:2005-02-15
Outback
reply to TamaraB

said by TamaraB:

Is there a remote test to determine if your Upnp implementation is vulnerable?

To be quite honest I didn't run the tool - why would you download, install or run a program, it basically voids any test - if it was a web based probe I would understand, but install internal to the network defeats the test, unless I miss something here?
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Da Bronx
Reviews:
·Optimum Online
·Clearwire Wireless

1 recommendation

said by norwegian:

To be quite honest I didn't run the tool - why would you download, install or run a program, it basically voids any test - if it was a web based probe I would understand, but install internal to the network defeats the test, unless I miss something here?

No, you didn't miss anything. The only way to know for sure if your router's UpNp implementation is accessible from the Internet is to probe it from the Internet.

--
"Remember, remember the fifth of November.
Gunpowder, Treason and Plot.
I see no reason why Gunpowder Treason
Should ever be forgot."

"People should not be afraid of their governments. Governments should be afraid of their people"



Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2
Reviews:
·TekSavvy DSL
·Shaw
·TELUS

US Government Warns of Hack Threat to Network Gear

CERT in turn has tried to contact the more than 200 companies whose products Rapid7 have identified as being vulnerable to attack, including Belkin, D-Link, Cisco Systems Inc's Linksys division and Netgear.

Belkin, D-Link and Netgear did not respond to requests for comment.

»www.voanews.com/content/network-···376.html



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to jaykaykay

said by jaykaykay:

»www.grc.com/unpnp/unpnp.htm. Been using this for years.

Kicking the tires now


TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Da Bronx
Reviews:
·Optimum Online
·Clearwire Wireless

said by siljaline:

Kicking the tires now

You are kicking the tires from inside the car though. How do you know for sure you are protected from the outside? Only kicking the tires from the outside can tell you for sure. I have yet to see a test to do that.


NOYB
St. John 3.16
Premium
join:2005-12-15
Forest Grove, OR
kudos:1
reply to TamaraB


Wonder if there will be a BBR / DSL Reports tool for testing for UPnP security flaws.