Click to TEST YOUR OWN network connectionClick for Steve's explanation video


Port Authority Edition – Internet Vulnerability Profiling
by Steve Gibson,  Gibson Research Corporation.

Universal Plug n'Play (UPnP)
Internet Exposure Test

This Internet probe sends up to ten (10) UPnP Simple Service Discovery Protocol (SSDP) M-SEARCH UDP packets, one every half-second, to our visitor's current IPv4 address (10.1.1.1) in an attempt to solicit a response from any publicly exposed and listening UPnP SSDP service. The UPnP protocols were never designed to be exposed to the public Internet, and any Internet-facing equipment which does so should be considered defective, insecure, and unusable. Any such equipment should be disconnected immediately.

Your equipment at IP:

 10.1.1.1 

Is now being queried:







THE EQUIPMENT AT THE TARGET IP ADDRESS
DID RESPOND TO OUR UPnP PROBES!
(That's probably not good!)
The equipment responded with the following helpful (to malicious hackers) information about itself:
HTTP/1.1 200 OK
Cache-Control: max-age=120
EXT:
Location: http://192.168.0.1:65535/rootDesc.xml
Server: Linux/2.4.22-1.2115.nptl UPnP/1.0 miniupnpd/1.0
ST: upnp:rootdevice
USN: uuid:add0d0d8-1dd1-11b2-a3c3-c36ac1b1c169::upnp:rootdevice
There is no question whether hackers are, in fact, currently sweeping the Internet for the presence of exactly this sort of exposed device—your device—in order to gain access to the private network residing behind it. Just such hacking packets are now being detected across the Internet. Scanning is underway and the threat is real.

The poorly designed Universal Plug n' Play (UPnP) technology, built into all consumer routers—and your router—was intended only to allow devices inside your network to request access by systems outside your network. It was never intended to allow anonymous hackers outside your network to gain access to systems inside your network . . .  But when the router's UPnP services are unintentionally exposed to the public Internet—as we have just verified with your router—that's exactly what has happened. And because the Internet is being swept and scanned for exactly these sorts of mistakes, it's not a matter of “if” someone is going to start accessing and changing your router's settings, and using them to access your internal private network . . . but “when”.

If you can disable your equipment's WAN-side (the connection to the Internet) support for Universal Plug n'Play, you should do so immediately. (And then, of course, you can re-test here to verify that it was successful.) If your equipment doesn't allow you to selectively disable only WAN-side exposure, you should seriously consider disabling all support for UPnP until you have updated the equipment's firmware (if that's feasible), replaced its firmware with a more secure alternative (DD-WRT, Tomato, etc.), or replaced the equipment with a known-secure alternative.

PLEASE NOTE: “Exposure” is not synonymous with “vulnerability”, but neither is it good to be exposed. The response which you can see above often tells malicious hackers exactly what version of UPnP firmware you are running so that they'll know exactly how to attack.
Positive results seen
This page has reported a growing number of positive “exposed” results.
The count is incremented only once per router IP address, regardless of the number of times the test is performed on an exposed router. Although we do not log the IP addresses of the results, we maintain an “MRU” (most recently used) list in RAM to prevent multiple counts per router.
What results are possible?
It's natural to wonder what other results might have been shown if your Internet equipment were different. So to satisfy that curiosity, here are three sample screens showing each of this test's three possible outcomes:
About UPnP and what this means

Here's what you need to know about Universal Plug n' Play (UPnP):

  • UPnP has been provided and enabled by default in consumer Internet routers since 2002 or 2003.
  • Today, any home appliance — TV's, DVD players, game consoles, IP cameras, printers, fax machines, and you-name-it, includes support for UPnP.
  • UPnP is a “zero-authentication” (no passwords required) system for allowing networked devices to discover and easily connect with each other on a private local network.
  • Additionally, software such as Skype and BitTorrent, and gaming consoles, which wish to be “seen” on the Internet, are able to use UPnP to open “holes” through the protection normally provided by routers in order to allow “unsolicited” traffic to enter.
  • THE HUGE MISTAKE IS: No part of UPnP was EVER MEANT to be exposed to the EXTERNAL public Internet. It was only ever meant for private local control of devices and routers. Its exposure gives malicious hackers direct access to the inside of any exposed private network. It was a huge mistake for it ever to be exposed. Router manufacturers are at fault, but all they can do now is offer updated router firmware. Now that the mistake has been made, responsibility rests upon router owners to somehow eliminate that exposure.

Additional resources
The Security Now! podcast episode (#389) which immediately preceded the addition of this UPnP exposure testing facility, is available as a video on YouTube, or as downloadable high or low bandwidth audio. During that presentation, I explain to Leo and the podcast audience exactly what HD Moore and Rapid7 discovered during their comprehensive scanning the Internet during the second half of 2012, and I explain what it means for those whose Internet routers are exposing this privileged management interface:
Security Now! Episode #389:YouTube Video64kbps MP3 Audio16kbps MP3 Audio
    Click to watch the video
Video starts at 0:09:44


Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2016 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Apr 09, 2013 at 10:37 (2,260.71 days ago)Viewed 59 times per day