[eternityforest]

Programmers need to stop trying to kill UPnP.

The buggy firmware that allowed control from outside had nothing to do with UPnP, it was... just buggy firmware implementing it wrong. And it can be easily detected with online testers.

I always leave UPnP on, and I've never seen it disabled by default, nor would I ever want them to do that.

When the router does it right, it's just a small extra convenience for malware that can only be used when they already compromised your system. If they are in your network already, they can already do whatever they want.

[cassianoleal]

* Scenario 1:

Malware running on your network requests port over UPnP. Router accepts it. Hacker has direct inbound access to code they control.

* Scenario 2:

Malware running on your network requests port over UPnP. Router denies it (UPnP is disabled). Malware doesn't know how to open a reverse tunnel. No inbound access.

* Scenario 3:

Same as 2, but malware sets up reverse tunnel. Hacker is in.

* Scenario 4:

Buggy and/or sloppy firmware that's not otherwise malicious requests port over UPnP even though it doesn't need to receive connections from the Internet. Router allows it. Hackers know about this slop and other CVEs on device. Network compromised.

* Scenario 5:

Same firmware from 4, but this time UPnP is disabled on router. It's safe to say this non-malicious firmware doesn't set up a reverse tunnel. No inbound access.

This is obviously a very simple threat model but from here you can see that 2 out of 5 attack scenarios would have been prevented by disabling UPnP on the router.

[IshKebab]

> Malware doesn't know how to open a reverse tunnel.

So this is useful if malware authors are just incredibly dumb?

Unconvincing. The only reason to disable UPnP seems to be "it might be really buggy" but that's true of all software and we don't disable all software. Yes, security in depth but that's taking it to a ridiculous extreme.

[GekkePrutser]

No, the malware authors just target the least secure userbase. Because there's plenty of them to exploit. Why put in the extra work if you have plenty of weak targets?

Physical security works the same way. The point is to have better locks on your bike than the one beside it.

And opening ports reduces the need for central infrastructure for the malware makers, which leads to less chance of being discovered (no money trails etc).

PS Speaking of run of the mill malware/ransomware here obviously. If you get targeted by state actors you can kiss your ass goodbye either way :)

[tjoff]

No, it's insanely useful in the vast majority of cases.

By many many orders of magnitude the most common scenarios are 4 and 5.

This is not a ridiculous extreme. It is the easiest and most effective thing you could do.

[OldTimeCoffee]

It's disabled on all AT&T Residential Gateways and can't be enabled, you have to use port forwarding or put another router behind it using IP Passthrough. It's also disabled by default on EdgeRouters and can only be enabled in the ConfigTree or CLI. On UniFi it's disabled, but can be enabled in the GUI.

It's a convenience over control item. Most things do NAT traversal pretty well anyway, UPnP IGD has run it's course at this point. PCP is better in every way, push for that instead.

[DanAtC]

How is PCP any better? It would allow malware to open ports just the same.

[OldTimeCoffee]

I don't think that's really a problem you can solve regardless. A STUN server would make most NAT irrelevant anyway. Most firewalls are setup to allow established connections, so you just need to create an outbound connection to allow the inbound. You can basically use the same techniques as SIP/RTP when they do NAT traversal.

PCP is better than UPnP IGD, most importantly because it time limits the opening so port reuse is easier. I wouldn't use either in practice. I wouldn't suggest NAT-PMP either. I wouldn't use port forwarding if I could avoid it as well. I'd use destination NAT with a source IP range I knew in advance so it wouldn't show as easily in port scans. Someone is likely to tell me why that's a terrible idea, but it's my (current) preferred method.

[willis936]

Doesn't seem worth it.

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=UPnP

[tjoff]

No need. UPnP is already dead.

Edit: and to add on that, programmers are the absolutely only people on earth that wish it wasn't dead.