What's the latest consensus on the Security issues with UPnP...?

[punlman]

QUESTION: What's the latest consensus on the Security issues with Enabling UPnP on your Router with no software firewall...?

A friend of mine recently told me, "I think that there was a Security Now! episode that explained how UPnP is a really bad idea. http://www.grc.com/unpnp/unpnp.htm "

I have been reading conflicting things about whether ENABLING UPnP on your router is a security vulnerability.... or not.

Also, I do NOT use a software firewall. I don't like them because they slow the system down, and they SOMETIMES block innocent programs from running giving you NO warning or notification message.... which is a REAL pain!

[µtorrent-Guest]

if you have no softwarefirewall at all, why should UPnP be a "really bad idea"? i doubt you have a state of the art hardwarefirewall, but simply a soho router thingy.

So outgoing(!) connections aren't filtered in any way in the first place. the malware can comunicate without problems from inside so there is no issue here that malware might open an incomming port for themself via UPnP since it can use its outgoing ability to comunicate/ reload aditional stuff it wants to.

Edit: by the way, your UPnP link has nothing to do with what we here are talking about in connection with UPnP.

[punlman]

Oops. Sorry. Wrong link. I meant to include the link to the Security Now show. ( http://www.grc.com/SecurityNow.htm They are experts on internet security, and have one of the most popular video podcasts on the internet.)

Apparently, giving the ability for malware to open up INCOMING ports.... is a bad thing.

Anyone know that latest consensus on the Security issues with UPnP...?

[Firon]

Eh, Gibson is an idiot.

[Switeck]

Actually the "experts" at grc.com have many critics that disagree strongly with some of their findings.

UPnP is potentially security risk in the same way as leaving an incoming port forwarded is potentially security risk. I'd personally say UPnP is the worse of the 2, because if UPnP is enabled then nearly any program could take advantage of that and forward ports for itself...such as malware. You'd need other security programs to prevent what wouldn't be happening in the first place without UPnP.

On the other hand, a manually forwarded port is only exploitable if the port is one that other programs use (especially by default) OR that the program using it has a security flaw of its own (like buffer overruns which allow execution of arbitrary code).

[punlman]

Yes?

So TechTV's Leo Laporte and Steve Gibson are both idiots...?

And there is no consensus on whether using UPnP is an acceptable security risk, or not...?

[Firon]

I don't think it's much of a security risk--if you can get it to work at all, that is. UPnP is so poorly implemented across routers that half the time it won't even work anyway.

[punlman]

It's working great for me.

All I had to do was go to the Router's browser-based control panel, click on UPnP, and select ENABLE.

Instantly, all the copies of uTorrent, on all the computers on my network, began working beautifully.

I'm just concerned, now, about the security implications.

[Ultima]

From what I've seen, the security risks associated with UPnP are overblown (as I've almost never seen any actual reports of a computer getting compromised due to UPnP), but I guess I'm not in a position to give you a definitive answer.

[Switeck]

I don't think a computer can get compromised due to UPnP unless some stupid program uses UPnP to forward low-numbered ports like 21, 80, and 445. But then it's sabotage within rather than compromised from without...and the problem's as much or more the faulty/stupid program than UPnP!