Some Older Linksys Routers allow UPnP Configurable from the net


Recommended Posts

Some Older Linksys Routers allow UPnP Configurable from

update the firmware or disable UPnP immediately!

  Quote

Routers from various manufacturers support UPnP (Universal Plug and Play) on their WAN interfaces, which apparently makes it possible for attackers to reconfigure them remotely via the internet and, for example, misuse them as surfing proxies or to infiltrate internal LANs. The problem was discovered by IT security specialist Daniel Garcia, who has developed the Umap tool to demonstrate the problem; the tool is available to download free of charge.

Umap detects UPnP-enabled end devices such as DSL routers and cable modems on the internet by directly retrieving the devices' XML descriptions. The required URLs and ports for some models are hard-coded into the tool. This enables the software to bypass the usual restriction that only allows UPnP to search for compatible hardware via multicast in local networks. Garcia says that entire device series by Edimax, Linksys, Sitecom or Thomson (SpeedTouch) respond to UPnP requests on their WAN interfaces.

Since UPnP isn't designed to include any authentication, the XML description can always be retrieved. Garcia said that, by performing an internet scan, he managed to detect 150,000 potentially vulnerable devices within a short period of time. Once initial contact has been made, the scanner sends such UPnP commands as AddPortMapping or DeletePortMapping to the devices via SOAP requests. LAN devices usually use these commands to access the internet via NAT. However, the devices from the manufacturers in question allow the port to be opened ? and redirected to any other LAN device ? via the WAN interface. Umap attempts to guess the internal IP address that is required to do so.

http://www.h-online.com/security/news/item/UPnP-enabled-routers-allow-attacks-on-LANs-1329727.html

  On 27/08/2011 at 19:43, littleneutrino said:

been disabled for rather some time. :p

Ya but what about the millions of users of Linksys routers that just plug it in and go.

  On 27/08/2011 at 19:46, HawkMan said:

Keeping upnp on because it's convenient, and keeping the firewalls on only computers because there's no reason to not have them on.

And overly sensationalist.

What if you were behind a linksys router, had UPnP and had folder shares setup on your network. Then a guy on the net configures your UPnP to allow folder shares accessible on the net?

  On 27/08/2011 at 19:32, warwagon said:

***WARNING!*** Linksys Routers UPnP is Configurable from the net

disable UPnP immediately!

For some reason this story isn't getting much press. Personally I think this is huge. I had a hard enough time just finding a site that talked about it.

maybe because it's not that big of a deal?

  On 28/08/2011 at 05:07, Ryoken said:

Anyone that has set all their shares to public, is an idiot.

Someone wants to get on my network feel free, you'll get to see that I have shares, but that's it.

The fact a someone on the net can configure your router from the outside and even see your shares should make you feel uneasy. Regardless if they can actually open the shares,

This isn't really a huge deal, because, as it was said before, there are plenty of computers out there not even behind a router. However having your ports open for anyone on the internet isn't a good idea. You could always be caught with a slightly outdated software or exploited with a zero day.

any newb knows not to enable UPnP....</joke>

Joking aside....what a bummer! I mean, I sit behind a netgear router as my primary gateway...a linksys I'm using as a switch...then a linksys I'm using as an access point, with multiple workstations on wifi...even a ps3...and still, don't have to worry about it. Life goes on....(least, for me anyway)

There's probably a large number of people that use Linksys routers with custom firmware. Newer firmware versions have a feature that says "UPnP clients are allowed to add mappings only to their IP". I'd imagine this would protect you from the kind of vulnerability talked about in the article.

Linksys will more than likely fix this in a firmware update. But now many "Average user" upgrade the firmware of their routers?

How many "Average user" also install custom firmware?

So my guess would be we have millions of average users with linksys routers out there that are non the wiser to this issue.

basically what I am getting at is that there are fewer with this issue than you think. Many routers do not enable upnp out of the box....I believe that there are more out there that do not than there are that do. I have run into less than a handful that have had this enabled out of the box. It is the gaming users (xbox, ps3, and possibly the wii users) that have this feature enabled...perhaps being that you have more experiance on the home side than I do in recent years you see different, but I am pretty sure that you have to enable this feature on most or all routers.

  On 29/08/2011 at 20:35, sc302 said:

basically what I am getting at is that there are fewer with this issue than you think. Many routers do not enable upnp out of the box....I believe that there are more out there that do not than there are that do. I have run into less than a handful that have had this enabled out of the box. It is the gaming users (xbox, ps3, and possibly the wii users) that have this feature enabled...perhaps being that you have more experiance on the home side than I do in recent years you see different, but I am pretty sure that you have to enable this feature on most or all routers.

Having to enable it, doesn't that defeat the purpose it was created for? I can see why home user routers would be on by default, and I could also see why business class routers would have it off by default.

  On 29/08/2011 at 20:43, warwagon said:

Having to enable it, doesn't that defeat the purpose it was created for?

how so? disabled for the majority, if you need it you enable it....it is a tick just like wpa is a tick to enable.

  On 29/08/2011 at 20:46, sc302 said:

how so? disabled for the majority, if you need it you enable it.

Ya, but they are Made for the 'Home users" Home users barely know where the address bar is, let alone how to log into their router and enable UPnP :cool:

I don't disagree with. If you need it turned on its a VERY easy thing to do. For the the home user, a not such an east thing to do.

  On 29/08/2011 at 20:48, warwagon said:

Ya, but they are Made for the 'Home users" Home users barely know where the address bar is, let alone how to log into their router and enable UPnP :cool:

very true and that is why you see many routers that have no wireless security and upnp disabled because they kept the defaults.

point being that although it is a flaw, the majority isn't succumed to this flaw being that they don't even know how to get in to it to check it's ip or if it is connected to the internet. the ones who this flaw is subject to are the people who know enough to enable it for whatever reason and should be keeping up on their security and updates.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • who ever thought this looked good needs to rethink their design credentials.....
    • There's a few here upset Kamala Harris never got the Presidency! lol....
    • Yeah, he identified a whole lot of wasteful spending of US taxpayer money. What's wrong with that? Nothing, unless you had your fingers in the pie of course.
    • How to reduce the annoying Liquid Glass effects on iOS 26 by Aditya Tiwari Apple announced Liquid Glass at WWDC 2025 in all of its glory. It's a new glass-inspired design language from the iPhone-maker making its way to most of its software platforms, including iOS 26, iPadOS 26, macOS 26, tvOS 26, and watchOS 26. Apple markets Liquid Glass as a new translucent material that "behaves like glass in the real world. Its color is informed by surrounding content and intelligently adapts between light and dark environments." The Cupertino giant isn't wrong. The new glass-inspired design does bring a fresh coat of paint and some beautiful visuals to the iPhone and other Apple-made devices. However, as the dust from the mega arrival settles, people are starting to realize the current drawbacks of having too much glass on their device. There have been reports of users, including those at Neowin, experiencing readability issues, background separation issues, and trouble focusing on the content displayed on the screen due to its transparent nature. While these are small nuances on Apple's part that can be fixed without much hassle, it's degrading the initial experience of what the company calls its biggest visual upgrade since iOS 7. That said, there are some workarounds built into iOS 26 that will help you tone down the shortcomings. If you're running the iOS 25 Developer Beta 1 on your supported iPhone model, you can follow these steps to make things a little better: Go to the Settings app on your iPhone. Scroll down and tap on Accessibility > Display & Text Size. Next, you'll find two toggle options: Reduce Transparency and Increase Contrast. When you enable the Reduce Transparency toggle button, iOS 26 can "improve contrast by reducing transparency and blurs on some backgrounds to increase legibility." The other toggle, Increase Contrast, does what its name suggests. It can "increase color contrast between app foreground and background colors." Enabling each of these toggle buttons individually or simultaneously will have different effects on your iPhone's user interface. Control Center is being criticized for the extra transparency, making the UI look cluttered and difficult to focus. Here, the Reduce Transparency button adds a darker background to make the Control Center UI elements stand out. Liquid Glass transparency issues are also prevalent in the Notification Center and the navigation controls of various apps. In the image above, see how the text of the navigation buttons has become unreadable or hard to focus on with certain backgrounds. It's challenging to determine what can trigger such behavior, as one can have countless color combinations on their device. In the image below, this is how these buttons look when both Reduce Transparency and Increase Contrast are enabled. It's still a hit or miss depending on what colors you are dealing with. Part of the blame also goes to the fact that iOS 26 is still an early beta, and the change doesn't render as intended every time. You can also notice the difference in the look and feel of the Control Center when reduced transparency is turned on. On a side note, you can add the Reduce Transparency and Increase Contrast buttons in the Control Center for quicker access. That said, let's wait to see what changes Apple will implement as it continues to gather feedback through the beta program. Hopefully, the software will become more stable when the first public beta of iOS 26 arrives sometime in July. Interested users can try out the latest iPhone update through the developer beta program, noting that early builds might come with unexpected bugs and issues.
    • Austin residents rally against Tesla's robotaxi launch by Hamid Ganji Tesla's plan to launch its robotaxi service in Austin, Texas, has sparked protests in the city. While the EV maker targets June 22 as the launch date, local residents are raising their voices against the plan due to political disagreements and safety concerns. As reported by CNBC, public safety advocates and political protesters are organizing protests against Tesla's robotaxi launch in Austin. Members of the Dawn Project, Tesla Takedown, and Resist Austin have cited safety issues with Tesla's automated driving systems. Meanwhile, Elon Musk's involvement in Donald Trump's administration and his work in the Department of Government Efficiency (DOGE) has prompted another group of people to join the Austin protests against Tesla. To show Austin citizens the safety problems of Tesla's self-driving system, The Dawn Project brought a Tesla Model Y to the protest, equipped with the company's Full Self-Driving (FSD) software (version 13.2.9). In the demonstration, the Model Y with FSD software reportedly zoomed past a school bus with a stop sign held out and ran over a child-sized mannequin placed in front of the car. The FSD package includes automatic lane-keeping, steering, and parking. It is unclear to what extent this test was conducted under standard conditions or what Tesla's defense is. However, multiple cases of Tesla FSD software malfunction in the past have resulted in collisions or severe accidents, according to data collected by National Highway Traffic Safety Administration. Interestingly, The Dawn Project CEO Dan O'Dowd is the CEO of another company that sells embedded safety and security solutions to carmakers like Ford and Toyota. It remains to be seen whether Tesla could launch a robotaxi service in Austin despite the residents' protests. Earlier this week, Elon Musk demonstrated the new version of Tesla's FSD software in a post on X. Musk's decisions on DOGE fuel public backlash against Tesla. While Musk left the Trump administration after a beef with the president, he's still a target of public criticism, which directly imapcts Tesla. As a result, the slow sales have even caused Tesla to sell its Cybertruck with 0 percent APR to boost sales.
  • Recent Achievements

    • One Month Later
      greege earned a badge
      One Month Later
    • Week One Done
      greege earned a badge
      Week One Done
    • Week One Done
      LagFighterZ earned a badge
      Week One Done
    • First Post
      ThatGuyOnline earned a badge
      First Post
    • One Month Later
      5i3zi1 earned a badge
      One Month Later
  • Popular Contributors

    1. 1
      +primortal
      547
    2. 2
      ATLien_0
      230
    3. 3
      +FloatingFatMan
      166
    4. 4
      Michael Scrip
      119
    5. 5
      +Edouard
      91
  • Tell a friend

    Love Neowin? Tell a friend!