Is port forwarding secure or unsecure

Is UPnP a Security Risk?

UPnP is enabled by default on many new routers. At one point, the FBI and other security experts recommended disabling UPnP for security reasons. But how safe is UPnP today? Are we safely acting to make UPnP easier to use?

UPnP stands for “Universal Plug and Play.” With UPnP, an application can automatically forward a port on your router, saving you the hassle of manually forwarding ports. We're going to look at the reasons users recommend disabling UPnP so we can get a clear picture of the security risks.

Photo credit: comedy_nose on Flickr

Malware on your network can use UPnP

A virus, trojan, worm, or other malicious virus program that can infect a computer on your local network can use UPnP, just like legitimate programs. While a router typically blocks incoming connections, preventing malicious access, UPnP can allow a malicious program to bypass the firewall entirely. For example, a Trojan could install a remote control program on your computer and open a hole in your router's firewall so that you can access your computer from the Internet around the clock. If UPnP were disabled, the program would not be able to open the port, although it could bypass the firewall in some other way and call home.

Is this a problem? Yes. There is no getting around it - UPnP assumes that local programs are trustworthy and can forward ports. If malware is unable to forward ports, you should disable UPnP.

The FBI told people to turn off UPnP

Towards the end of 2001, the FBI national Infrastructure Protection Center was advised all users to disable UPnP because of a buffer overflow in Windows XP. This bug has been fixed by a security patch. The NIPC actually corrected this advice later after determining that the problem was not within UPnP itself. (Source)

Is this a problem? No. Some people may remember the NIPC, and this advice was incorrect at the time and was fixed in a patch for Windows XP over a decade ago.

Photo credit: Carsten Lorentzen on Flickr

The Flash UPnP attack

UPnP does not require authentication from the user. Any application running on your computer can ask the router to forward a port over UPnP. Because of this, the above malware can abuse UPnP. You can rest assured that as long as malware is not running on local devices, you are safe. You are probably wrong, however.

The Flash UPnP attack was discovered in 2008. A specially crafted Flash applet that runs on a web page in your web browser can send a UPnP request to your router and ask it to forward ports. For example, the applet could ask the router to forward ports 1-65535 to your computer, effectively exposing it to the entire Internet. However, the attacker had to exploit a vulnerability in a network service running on your computer. Using a firewall on your computer will help protect your computer.

Unfortunately, it gets worse - on some routers aThe Flash applet can change the primary DNS server with a UPnP request. Port forwarding is the least of your concerns - a malicious DNS server can redirect traffic to other websites. For example, Facebook.com could point entirely to a different IP address - you will see Facebook.com in the address bar of your web browser, but you are using a website that was set up by a malicious organization.

Is this a problem? Yes. I can't find any indication that this was ever fixed. Even if this were fixed (it would be difficult to do as it is a problem with the UPnP protocol itself), many older routers that are still in use would be vulnerable.

Incorrect UPnP implementations on routers

The UPnP Hacks website has a detailed list of security issues in the way various routers implement UPnP. These are not necessarily problems with UPnP itself. Problems often arise with UPnP implementations. For example, many routers' UPnP implementations do not properly validate input. A malicious application might ask a router to redirect the network to remote IP addresses on the Internet (rather than local IP addresses) and the router complies with the request. On some Linux-based routers, UPnP can be used to execute commands on the router. (Source) The website lists many other such problems.

Is this a problem? Yes! Millions of routers in the wild are vulnerable. Many router manufacturers haven't secured their UPnP implementations well.

Photo credit: Ben Mason on Flickr

Should you disable UPnP?

When I first started writing this post, I was expecting to conclude that UPnP's shortcomings were rather minor, which is simply to swap a bit of security to make this easier. Unfortunately, UPnP seems to have a lot of problems. If you are not using any application that requires port forwarding, such as For example, peer-to-peer applications, game servers, and many VoIP programs, you may want to disable UPnP entirely. Frequent users of these applications should consider whether they are willing to forego security for the sake of convenience. You can still forward ports without UPnP. It's just a little more work. Read our guide to port forwarding.

On the other hand, these routers are not flaws, the chances of encountering malicious software that exploit flaws in your router's UPnP implementation are relatively small. Some malware programs use UPnP to forward ports (e.g. the Conficker worm), but I haven't found any example of malware that exploits these router bugs.

How do I disable it? If your router supports UPnP, you will find an option to disable it in the web interface. Refer to your router's manual for more information.


Disagree with UPnP's security? Leave a comment!