GRC's | ShieldsUP! — UPnP Exposure Test

This equipment is not fully “stealthful” inasmuch as it did respond to our probing. Thus hackers will know that some equipment exists at this IPv4 address—though they will have no idea what it is, and they will be unable to attack it though UPnP SSDP subversion because it is proactively replying that there is no active service available at its UDP port 1900.

There is no question whether hackers are, in fact, currently sweeping the Internet for the presence of exposed and vulnerable consumer Internet routers in order to gain access to the private networks residing behind them. Just such hacking packets are now being detected across the Internet. Scanning is underway and the threat is real.

Whenever changes are made to your network configuration, whenever you update your router's firmware, and also from time to time just to be sure, you should consider re-running this quick test to confirm that your Internet-facing equipment is continuing to ignore all attempts at its subversion though the Universal Plug n'Play (UPnP) protocols.

Positive results seen

This page has reported a growing number of positive “exposed” results.

The count is incremented only once per router IP address, regardless of the number of times the test is performed on an exposed router. Although we do not log the IP addresses of the results, we maintain an “MRU” (most recently used) list in RAM to prevent multiple counts per router.

What results are possible?

It's natural to wonder what other results might have been shown if your Internet equipment were different. So to satisfy that curiosity, here are three sample screens showing each of this test's three possible outcomes:

A sample “Exposed” result
A sample “Rejected” result
A sample “No Response” result

About UPnP and what this means

Here's what you need to know about Universal Plug n' Play (UPnP):

UPnP has been provided and enabled by default in consumer Internet routers since 2002 or 2003.
Today, any home appliance — TV's, DVD players, game consoles, IP cameras, printers, fax machines, and you-name-it, includes support for UPnP.
UPnP is a “zero-authentication” (no passwords required) system for allowing networked devices to discover and easily connect with each other on a private local network.
Additionally, software such as Skype and BitTorrent, and gaming consoles, which wish to be “seen” on the Internet, are able to use UPnP to open “holes” through the protection normally provided by routers in order to allow “unsolicited” traffic to enter.
THE HUGE MISTAKE IS: No part of UPnP was EVER MEANT to be exposed to the EXTERNAL public Internet. It was only ever meant for private local control of devices and routers. Its exposure gives malicious hackers direct access to the inside of any exposed private network. It was a huge mistake for it ever to be exposed. Router manufacturers are at fault, but all they can do now is offer updated router firmware. Now that the mistake has been made, responsibility rests upon router owners to somehow eliminate that exposure.

Additional resources

The Security Now! podcast episode (#389) which immediately preceded the addition of this UPnP exposure testing facility, is available as a video on YouTube, or as downloadable high or low bandwidth audio. During that presentation, I explain to Leo and the podcast audience exactly what HD Moore and Rapid7 discovered during their comprehensive scanning the Internet during the second half of 2012, and I explain what it means for those whose Internet routers are exposing this privileged management interface:

Security Now! Episode #389:

YouTube Video

64kbps MP3 Audio

16kbps MP3 Audio

Video starts at 0:09:44

HD Moore's 28-page UPnP exposure research paper (1.1MB PDF)
Daniel Garcia's 7-page DEFCON 19 presentation about UPnP exposures (253KB PDF)
The www.upnp-hacks.org web site has good, readable background information about UPnP “dumbness”.
A good non-panicky UPnP Info Q&A by Daniel Garcia about the UPnP situation
The “H” Security site provides a nice 3rd-party summary of HD Moore's findings.