Recommended Posts

As of recently it has been discovered that most routers expose UPnP to the outside world, which is not good at all. This allows attackers "from the internet" to open ports in your routers.

It is recommended you DISABLE UPnP in your router. Below is a test to see if your router is vulnerable. Steve Gibson, the creator of the very popular "Shields-up" which scans your IP for open ports in your router has recently added a test for the upnp vulnerability. Simply click the link then click the "proceed" button. You will then see a button for the UPnP test. Good luck!

The Test

https://www.grc.com/x/ne.dll?bh0bkyd2

  On 03/02/2013 at 18:08, warwagon said:

It is recommended you DISABLE UPnP in your router.

No; It is recommened that you get a good router. I have UPnP on my router enabled and

  Quote

THE EQUIPMENT AT THE TARGET IP ADDRESS

DID NOT RESPOND TO OUR UPnP PROBES!

So either I have a good router or the test sucks.

  On 03/02/2013 at 18:20, Detection said:

I have uPnP enabled but still fine (Expected as much with DD-WRT though)

Capture.PNG

Correct this is a route test, not a computer test.

It's only recommended to disable UPnP on your routers if they don't pass that test, which means they are exposing you to the outer world.

Just passed the test on three touters with UPnP enabled. Two of them are running DD-WRT.

post-203976-0-34939600-1359915937.png

I disable it anyway. The fact that UPnP, by design, lets any application communicate with the router and open ports should make any security conscious user uneasy.

THE EQUIPMENT AT THE TARGET IP ADDRESS

DID NOT RESPOND TO OUR UPnP PROBES!

Why would you disable uPnP anyways? It allows internal hosts to dynamically open ports like XBL or PSN for gaming and voice. Without it you'd have to manually open every single port those services and similar ones use. Just keep your internal hosts clean.

  On 04/02/2013 at 08:12, trek said:

THE EQUIPMENT AT THE TARGET IP ADDRESS

DID NOT RESPOND TO OUR UPnP PROBES!

Why would you disable uPnP anyways? It allows internal hosts to dynamically open ports like XBL or PSN for gaming and voice. Without it you'd have to manually open every single port those services and similar ones use. Just keep your internal hosts clean.

Yeah I agree with keeping uPnP enabled also.

I ran many different servers over the years, long time ago now, so I had many ports opened for access, and that site's port tests always showed me as being safe and secure.

All depends on what type of security you're running on your computers.

There should be no issue with running UPnP/NAT-PMP on your router if it's properly configured, I knew mine would pass this test from the start since it exposes it's configuration in a good manner (It only allows hosts on the 192.168/16 subnet to create a forwarding rule, and said rule has to point at the host that requested it, otherwise it's rejected), and shows what ports are forwarded on what protocol.

Never mind the fact that the firewall should reject outside communication before it even gets to the UPnP/NAT-PMP daemon anyway, if it isn't being blocked you have bigger issues.

"Without it you'd have to manually open every single port those services and similar ones use."

So -- your talking a handful of ports at most.. UPnP is to allow unsolicted inbound traffic to get through your nat router. Traffic initiated by you, or in answer to your traffic is allowed.

Most people have no use of UPnP, it has been a nightmare since it was created -- who in their right mind thought, hey lets allow ports to be opened on your gateway/firewall without any sort of auth at all!!

And no UPnP should not be reachable via your public IP that is for damn sure.

  On 03/02/2013 at 18:32, warwagon said:

I disable it anyway. The fact that UPnP, by design, lets any application communicate with the router and open ports should make any security conscious user uneasy.

If you trust what's in your network and have the routers firewall up I don't see how it could.

^ the point is UPnP can remove your firewall settings. Without even a nod to you that its doing so, nor any sort of auth method to allow it.

There really needs to be some form of notification and auth to the mechanism - and then sure it would be a valid tool in opening firewall ports for the masses.

  On 04/02/2013 at 08:12, trek said:

THE EQUIPMENT AT THE TARGET IP ADDRESS

DID NOT RESPOND TO OUR UPnP PROBES!

Why would you disable uPnP anyways? It allows internal hosts to dynamically open ports like XBL or PSN for gaming and voice. Without it you'd have to manually open every single port those services and similar ones use. Just keep your internal hosts clean.

It would allow any malicious program to actively contact your router, open whatever ports it wants, and then transmit data through those ports all without your knowledge.... pretty big security hole if you ask me.

  On 04/02/2013 at 14:14, BeLGaRaTh said:

Steve Gibson, the person who creates the most FUD on the internet with his crazy rants and observations!!!

I'm not going to argue that the fact that he is crazy, which he probably is, but he is also very smart. And Facts do not = FUD.

Are you up to date on this UPnP issue? The typical way UPnP works is, an active program on one of the systems on your network will contact the router and open ports for whatever program/service to pass data through. Sounds ok right, well there is an exploit on a TON of routers that allows that request to be made from the OUTSIDE over the WAN, so if you have one of these affected routers, anyone outside your network, can open up ports into your network using a little bit of packet "magic". It's a pretty big deal.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • UK considers forcing Google to add competitor search options by David Uzondu Regulators are not playing around with Google this year. Just this April, we saw Japan take formal action against the company over Android phones, accusing the tech giant of forcing manufacturers to preinstall its search and browser apps. Now, the United Kingdom's antitrust watchdog is adding to the pressure with its own set of demands that could significantly alter how people use Google's products. The UK's Competition and Markets Authority, or CMA, wants to let users in the UK decide for themselves which search engine to use. This would come in the form of so-called "choice screens" that would appear when someone uses the Chrome browser or an Android device for the first time. In practice, this means offering a menu of different search providers, potentially even including AI assistants like ChatGPT, giving people a real opportunity to switch away from Google's default setting. To make this happen, the watchdog plans to slap Google with a special "strategic market status" designation, which means the agency gets new powers to impose very specific changes on how Google operates. The CMA is proposing this under new digital market rules designed specifically to rein in the power of large tech companies. A final decision on whether to officially give Google this label is expected by October 13. This fight over search and browser defaults is arguably more intense back home in the US, where the company is facing the possibility of having to sell off Chrome entirely after a landmark court ruling on monopoly grounds. You can bet OpenAI is very interested in that outcome, as its executives have said they would consider buying the browser if Google were ever forced to part with it. The CMA also has a few other changes in mind if its new status for Google goes through. The agency wants to ensure the company's search rankings are fair and do not unfairly penalize rivals. It also wants to give news publishers more transparency and control over how Google uses their articles and other content to train its AI models and generate those AI summaries you now see at the top of search results. Finally, the CMA is pushing for rules that would let people easily transfer their personal data, like their entire search history, to another company if they choose. According to AP News, Google sees the CMA's announcement as presenting "clear challenges" to its business in the UK. Oliver Bethell, a competition director at the company, also hinted that such strict regulations could even lead Google to delay the release of new products and features in the UK.
    • The Tick Tock of development, Hire, Fire, Rehire, Fire. Keeps the wages low and allows contract changes. I expect with AI here that will replace a tone of R&D with things like art concepts. Coding also will take a hit when the human will be the AI code checker and prompt basher. Instead of 100 programmers you can just have 2 overlooking generated code and tweaking if needed.
    • That will be an interesting comparison. My guess is that the B580 will be the more powerful card, but due to less mature game support, may be slower in some titles. Right now, the B580 is a great budget option, but when it is the same price as the RTX 5050, I suspect many users will opt for the NVidia option if it is their choice. However, a lot of OEM systems are using the B580, so users who barely understand what a dGPU is, are probably going to be using the B580.
    • Google Earth is now 20 years old, brings historical Street View imagery by Aditya Tiwari Google is no longer a young company, and many of its products have been in existence for over two decades. Its "not an April Fools joke" email service turned 21 earlier this year, and now, Google Earth is celebrating its 20th birthday. The search giant announced that Google Earth is getting historical Street View imagery to celebrate the milestone. "Now, you can access historical Street View imagery right from Google Earth — and if you use Google Earth in a professional capacity, you can easily access new datasets, like tree canopy coverage for cities, land temperatures and more," Google said in a blog post. Google Earth is well-known for offering many internet users an interactive bird's-eye view of the world at a time when mapping apps weren't as advanced. It was launched in June 2005 and features 3D buildings across major US cities, integrated local search, and 3D terrains showing mountains, valleys, and canyons around the world. Users could activate, tilt, and rotate 3D terrain for a different perspective of a location. It was an instant hit after launch, with over 100 million downloads in its first week. Just months later, Google worked with the National Oceanic and Atmospheric Administration (NOAA) to make updated imagery available to first responders battling Hurricane Katrina. However, the tech that powers Google Earth is a bit older than that. It was initially developed as Earth Viewer by Keyhole Inc., which Google acquired in 2004 and later rebranded. Now accessible via web browsers and mobile apps, Google Earth was initially available as free-to-download desktop software for Windows, Mac, and Linux. The company also offered Google Earth Pro for $399 per year, but it was later made available for free. Google Earth in 2005 Google Earth differs from Google Maps, which also debuted in 2005. While Google Earth is more focused on exploration and research, its sibling is inclined towards finding real-time information and navigation. Google Earth is known for the flying animation that appears when you go from one place to another. Not just the Earth's surface, you can also explore the ocean floor, the Moon, and Mars (via desktop app). The virtual globe app has been used to discover a rare type of coral reef off the west coast of Australia, often referred to as "the rainforest of the sea." The 2016 movie Lion told the story of a man who used Google Earth to reunite with his mother 25 years after he got separated from his family. Google Earth has seen several new features over the past two decades, including VR support, distance measuring support, the ability to create virtual tours, and Timelapse. In 2017, the 'new Google Earth' added the "I'm Feeling Lucky" button and a discovery-focused feature called Voyager. Another redesign introduced in 2023 allows professionals to evaluate building and solar design options. A feature introduced last year allows users to view historical aerial imagery of places dating back up to 80 years.
  • Recent Achievements

    • Week One Done
      Sharon dixon earned a badge
      Week One Done
    • Dedicated
      Parallax Abstraction earned a badge
      Dedicated
    • First Post
      956400 earned a badge
      First Post
    • Week One Done
      davidfegan earned a badge
      Week One Done
    • First Post
      Ainajohn earned a badge
      First Post
  • Popular Contributors

    1. 1
      +primortal
      595
    2. 2
      ATLien_0
      223
    3. 3
      Michael Scrip
      169
    4. 4
      +FloatingFatMan
      151
    5. 5
      Som
      136
  • Tell a friend

    Love Neowin? Tell a friend!