undefined | Better HN

0 pointseternityforest4y ago0 comments

Programmers need to stop trying to kill UPnP.

The buggy firmware that allowed control from outside had nothing to do with UPnP, it was... just buggy firmware implementing it wrong. And it can be easily detected with online testers.

I always leave UPnP on, and I've never seen it disabled by default, nor would I ever want them to do that.

When the router does it right, it's just a small extra convenience for malware that can only be used when they already compromised your system. If they are in your network already, they can already do whatever they want.

0 comments

cassianoleal4y ago

* Scenario 1:

Malware running on your network requests port over UPnP. Router accepts it. Hacker has direct inbound access to code they control.

* Scenario 2:

Malware running on your network requests port over UPnP. Router denies it (UPnP is disabled). Malware doesn't know how to open a reverse tunnel. No inbound access.

* Scenario 3:

Same as 2, but malware sets up reverse tunnel. Hacker is in.

* Scenario 4:

Buggy and/or sloppy firmware that's not otherwise malicious requests port over UPnP even though it doesn't need to receive connections from the Internet. Router allows it. Hackers know about this slop and other CVEs on device. Network compromised.

* Scenario 5:

Same firmware from 4, but this time UPnP is disabled on router. It's safe to say this non-malicious firmware doesn't set up a reverse tunnel. No inbound access.

This is obviously a very simple threat model but from here you can see that 2 out of 5 attack scenarios would have been prevented by disabling UPnP on the router.

IshKebab4y ago

> Malware doesn't know how to open a reverse tunnel.

So this is useful if malware authors are just incredibly dumb?

Unconvincing. The only reason to disable UPnP seems to be "it might be really buggy" but that's true of all software and we don't disable all software. Yes, security in depth but that's taking it to a ridiculous extreme.

GekkePrutser4y ago

No, the malware authors just target the least secure userbase. Because there's plenty of them to exploit. Why put in the extra work if you have plenty of weak targets?

Physical security works the same way. The point is to have better locks on your bike than the one beside it.

And opening ports reduces the need for central infrastructure for the malware makers, which leads to less chance of being discovered (no money trails etc).

PS Speaking of run of the mill malware/ransomware here obviously. If you get targeted by state actors you can kiss your ass goodbye either way :)

tjoff4y ago

No, it's insanely useful in the vast majority of cases.

By many many orders of magnitude the most common scenarios are 4 and 5.

This is not a ridiculous extreme. It is the easiest and most effective thing you could do.

OldTimeCoffee4y ago

It's disabled on all AT&T Residential Gateways and can't be enabled, you have to use port forwarding or put another router behind it using IP Passthrough. It's also disabled by default on EdgeRouters and can only be enabled in the ConfigTree or CLI. On UniFi it's disabled, but can be enabled in the GUI.

It's a convenience over control item. Most things do NAT traversal pretty well anyway, UPnP IGD has run it's course at this point. PCP is better in every way, push for that instead.

DanAtC4y ago

How is PCP any better? It would allow malware to open ports just the same.

OldTimeCoffee4y ago

I don't think that's really a problem you can solve regardless. A STUN server would make most NAT irrelevant anyway. Most firewalls are setup to allow established connections, so you just need to create an outbound connection to allow the inbound. You can basically use the same techniques as SIP/RTP when they do NAT traversal.

PCP is better than UPnP IGD, most importantly because it time limits the opening so port reuse is easier. I wouldn't use either in practice. I wouldn't suggest NAT-PMP either. I wouldn't use port forwarding if I could avoid it as well. I'd use destination NAT with a source IP range I knew in advance so it wouldn't show as easily in port scans. Someone is likely to tell me why that's a terrible idea, but it's my (current) preferred method.

willis9364y ago

Doesn't seem worth it.

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=UPnP

tjoff4y ago

No need. UPnP is already dead.

Edit: and to add on that, programmers are the absolutely only people on earth that wish it wasn't dead.

j / k navigate · click thread line to collapse

0 comments

cassianoleal4y ago

* Scenario 1:

Malware running on your network requests port over UPnP. Router accepts it. Hacker has direct inbound access to code they control.

* Scenario 2:

Malware running on your network requests port over UPnP. Router denies it (UPnP is disabled). Malware doesn't know how to open a reverse tunnel. No inbound access.

* Scenario 3:

Same as 2, but malware sets up reverse tunnel. Hacker is in.

* Scenario 4:

* Scenario 5:

Same firmware from 4, but this time UPnP is disabled on router. It's safe to say this non-malicious firmware doesn't set up a reverse tunnel. No inbound access.

This is obviously a very simple threat model but from here you can see that 2 out of 5 attack scenarios would have been prevented by disabling UPnP on the router.

IshKebab4y ago

> Malware doesn't know how to open a reverse tunnel.

So this is useful if malware authors are just incredibly dumb?

GekkePrutser4y ago

No, the malware authors just target the least secure userbase. Because there's plenty of them to exploit. Why put in the extra work if you have plenty of weak targets?

Physical security works the same way. The point is to have better locks on your bike than the one beside it.

And opening ports reduces the need for central infrastructure for the malware makers, which leads to less chance of being discovered (no money trails etc).

PS Speaking of run of the mill malware/ransomware here obviously. If you get targeted by state actors you can kiss your ass goodbye either way :)

tjoff4y ago

No, it's insanely useful in the vast majority of cases.

By many many orders of magnitude the most common scenarios are 4 and 5.

This is not a ridiculous extreme. It is the easiest and most effective thing you could do.

OldTimeCoffee4y ago

It's a convenience over control item. Most things do NAT traversal pretty well anyway, UPnP IGD has run it's course at this point. PCP is better in every way, push for that instead.

DanAtC4y ago

How is PCP any better? It would allow malware to open ports just the same.

OldTimeCoffee4y ago

willis9364y ago

Doesn't seem worth it.

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=UPnP

tjoff4y ago

No need. UPnP is already dead.

Edit: and to add on that, programmers are the absolutely only people on earth that wish it wasn't dead.

j / k navigate · click thread line to collapse