Maybe if the network administrator has disabled UPnP that is a hint that they don't want to allow random devices to expose themselves to the entire internet?!
The buggy firmware that allowed control from outside had nothing to do with UPnP, it was... just buggy firmware implementing it wrong. And it can be easily detected with online testers.
I always leave UPnP on, and I've never seen it disabled by default, nor would I ever want them to do that.
When the router does it right, it's just a small extra convenience for malware that can only be used when they already compromised your system. If they are in your network already, they can already do whatever they want.
Malware running on your network requests port over UPnP. Router accepts it. Hacker has direct inbound access to code they control.
* Scenario 2:
Malware running on your network requests port over UPnP. Router denies it (UPnP is disabled). Malware doesn't know how to open a reverse tunnel. No inbound access.
* Scenario 3:
Same as 2, but malware sets up reverse tunnel. Hacker is in.
* Scenario 4:
Buggy and/or sloppy firmware that's not otherwise malicious requests port over UPnP even though it doesn't need to receive connections from the Internet. Router allows it. Hackers know about this slop and other CVEs on device. Network compromised.
* Scenario 5:
Same firmware from 4, but this time UPnP is disabled on router. It's safe to say this non-malicious firmware doesn't set up a reverse tunnel. No inbound access.
This is obviously a very simple threat model but from here you can see that 2 out of 5 attack scenarios would have been prevented by disabling UPnP on the router.
> Malware doesn't know how to open a reverse tunnel.
So this is useful if malware authors are just incredibly dumb?
Unconvincing. The only reason to disable UPnP seems to be "it might be really buggy" but that's true of all software and we don't disable all software. Yes, security in depth but that's taking it to a ridiculous extreme.
No, the malware authors just target the least secure userbase. Because there's plenty of them to exploit. Why put in the extra work if you have plenty of weak targets?
Physical security works the same way. The point is to have better locks on your bike than the one beside it.
And opening ports reduces the need for central infrastructure for the malware makers, which leads to less chance of being discovered (no money trails etc).
PS Speaking of run of the mill malware/ransomware here obviously. If you get targeted by state actors you can kiss your ass goodbye either way :)
It's disabled on all AT&T Residential Gateways and can't be enabled, you have to use port forwarding or put another router behind it using IP Passthrough. It's also disabled by default on EdgeRouters and can only be enabled in the ConfigTree or CLI. On UniFi it's disabled, but can be enabled in the GUI.
It's a convenience over control item. Most things do NAT traversal pretty well anyway, UPnP IGD has run it's course at this point. PCP is better in every way, push for that instead.
I don't think that's really a problem you can solve regardless. A STUN server would make most NAT irrelevant anyway. Most firewalls are setup to allow established connections, so you just need to create an outbound connection to allow the inbound. You can basically use the same techniques as SIP/RTP when they do NAT traversal.
PCP is better than UPnP IGD, most importantly because it time limits the opening so port reuse is easier. I wouldn't use either in practice. I wouldn't suggest NAT-PMP either. I wouldn't use port forwarding if I could avoid it as well. I'd use destination NAT with a source IP range I knew in advance so it wouldn't show as easily in port scans. Someone is likely to tell me why that's a terrible idea, but it's my (current) preferred method.
Malware that's already on your system can do whatever it wants. NAT punching is not some complicated dark art for people who already have working exploits...
What? It's used by tons of legitimate applications as well. Not only malware benefits from being able to accept connections from the Internet. Games, torrents and other p2p services, etc.
I play a lot of games and I've never had any issues not having UPnP. They got used to working around it. Probably with centralised servers. I never liked the P2P model anyway, dedicated servers are more fun because you can influence the gamemode, add mods etc.
For torrents I don't know... If I were to torrent I would not do it without VPN anyhow.