UPnP - What Is It, And Why All The Fuss?

UPnP is getting a lot of (bad) press over the last few days, culminating in a warning issued by CERT (a Big Deal in the security world). Simply put, UPnP (Universal Plug n Play) is a convenience feature that makes it much easier to get networked devices to play nice with each other - when you plug a UPnP enabled printer into your home network, you can add it to your computer with minimal fuss and getting an X-Box or Wii to work online is much simpler, indeed almost automatic, thanks to this technology.


However, researchers have found, rather alarmingly, that devices with UPnP enabled may also be exposed to the the Internet in such a way that hackers could disabled them, screw them up - or worse, take them over for nefarious means. There are a LOT of these types of devices, and the researcher found a lot more exposure than they expected, so it has become a Big Deal.

What to do? Well, many of the older devices probably likely won't even be patched, and most consumers aren't comfortable mucking around with firmware updates for home routers and the like anyway. The best thing in most cases is to just turn off UPnP for now - assuming you can figure out how to. Doing so should not "break" whatever connections or configurations are currently working - it may just make a little harder setting up device XYZ in the future (until the manufacturers fix this flaw and we can all enable the feature again).

Rapid7, the folks who originally discovered this issue, have some more information on their site, and a scanning tool you can use to detect UPnP issues:

Router Security Check  This checks your home network from outside, to see if any devices are exposed; if not, you should be okay. Otherwise dig out the manual or call your Internet Service Provider to help you disable UPnP for now.

No comments :