punlman Posted February 14, 2007 Report Share Posted February 14, 2007 QUESTION: What's the latest consensus on the Security issues with Enabling UPnP on your Router with no software firewall...?A friend of mine recently told me, "I think that there was a Security Now! episode that explained how UPnP is a really bad idea. http://www.grc.com/unpnp/unpnp.htm "I have been reading conflicting things about whether ENABLING UPnP on your router is a security vulnerability.... or not.Also, I do NOT use a software firewall. I don't like them because they slow the system down, and they SOMETIMES block innocent programs from running giving you NO warning or notification message.... which is a REAL pain! Link to comment Share on other sites More sharing options...
µtorrent-Guest Posted February 14, 2007 Report Share Posted February 14, 2007 if you have no softwarefirewall at all, why should UPnP be a "really bad idea"? i doubt you have a state of the art hardwarefirewall, but simply a soho router thingy. So outgoing(!) connections aren't filtered in any way in the first place. the malware can comunicate without problems from inside so there is no issue here that malware might open an incomming port for themself via UPnP since it can use its outgoing ability to comunicate/ reload aditional stuff it wants to.Edit: by the way, your UPnP link has nothing to do with what we here are talking about in connection with UPnP. Link to comment Share on other sites More sharing options...
punlman Posted February 14, 2007 Author Report Share Posted February 14, 2007 Oops. Sorry. Wrong link. I meant to include the link to the Security Now show. ( http://www.grc.com/SecurityNow.htm They are experts on internet security, and have one of the most popular video podcasts on the internet.)Apparently, giving the ability for malware to open up INCOMING ports.... is a bad thing.Anyone know that latest consensus on the Security issues with UPnP...? Link to comment Share on other sites More sharing options...
Firon Posted February 14, 2007 Report Share Posted February 14, 2007 Eh, Gibson is an idiot. Link to comment Share on other sites More sharing options...
Switeck Posted February 14, 2007 Report Share Posted February 14, 2007 Actually the "experts" at grc.com have many critics that disagree strongly with some of their findings.UPnP is potentially security risk in the same way as leaving an incoming port forwarded is potentially security risk. I'd personally say UPnP is the worse of the 2, because if UPnP is enabled then nearly any program could take advantage of that and forward ports for itself...such as malware. You'd need other security programs to prevent what wouldn't be happening in the first place without UPnP.On the other hand, a manually forwarded port is only exploitable if the port is one that other programs use (especially by default) OR that the program using it has a security flaw of its own (like buffer overruns which allow execution of arbitrary code). Link to comment Share on other sites More sharing options...
punlman Posted February 14, 2007 Author Report Share Posted February 14, 2007 Yes?So TechTV's Leo Laporte and Steve Gibson are both idiots...?And there is no consensus on whether using UPnP is an acceptable security risk, or not...? Link to comment Share on other sites More sharing options...
Firon Posted February 14, 2007 Report Share Posted February 14, 2007 I don't think it's much of a security risk--if you can get it to work at all, that is. UPnP is so poorly implemented across routers that half the time it won't even work anyway. Link to comment Share on other sites More sharing options...
punlman Posted February 14, 2007 Author Report Share Posted February 14, 2007 It's working great for me.All I had to do was go to the Router's browser-based control panel, click on UPnP, and select ENABLE.Instantly, all the copies of uTorrent, on all the computers on my network, began working beautifully.I'm just concerned, now, about the security implications. Link to comment Share on other sites More sharing options...
Ultima Posted February 15, 2007 Report Share Posted February 15, 2007 From what I've seen, the security risks associated with UPnP are overblown (as I've almost never seen any actual reports of a computer getting compromised due to UPnP), but I guess I'm not in a position to give you a definitive answer. Link to comment Share on other sites More sharing options...
Switeck Posted February 15, 2007 Report Share Posted February 15, 2007 I don't think a computer can get compromised due to UPnP unless some stupid program uses UPnP to forward low-numbered ports like 21, 80, and 445. But then it's sabotage within rather than compromised from without...and the problem's as much or more the faulty/stupid program than UPnP! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.