Billions of devices affected by UPnP vulnerability

CyberTech

Level 44
Thread author
Verified
Top Poster
Well-known
Nov 10, 2017
3,247
Stop us if you’ve heard this before but a researcher has uncovered a new security vulnerability affecting many devices running the Universal Plug and Play (UPnP) protocol.

Named CallStranger by discoverer Yunus Çadırcı, the potential for trouble with this flaw looks significant for a whole menu of reasons, starting with the gotcha that it’s UPnP.

UPnP was invented back in the mists of time to graft the idea of plug-and-play onto the knotty world of home networking.

UPnP meant users didn’t have to know how to configure router ports – if the device and the home router supported UPnP (often turned on by default), connectivity happened automagically.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
That’s why it’s important to mitigate the problem by at least turning UPnP off if it’s not being used, something Naked Security has recommended after previous UPnP scares.
I have it enabled, but am I using it? <-- How would I know?

Edit:
Home users are not expected to be targeted directly. If their internet facing devices have UPnP endpoints, their devices may be used for DDoS source. Ask your ISP if your router has Internet facing UPnP with CallStranger vulnerability -there are millions of consumer devices exposed to Internet-. Don't port forward to UPnP endpoints. Home users don't need to disable UPnP for this vulnerability. They just need to be sure UPnP endpoint is not exposed to Internet.
Source: CallStranger CVE-2020-12695

What's an UPnP endpoint? <--- How would I know?
 
Last edited:

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
Well what about public trackers that i disable it does it work i download it?
Yes, public trackers works fine. You don't need to enable UPnP/port forwarding for that so keep it off.

What's a private tracker?
Private trackers are torrent sites which are private, usually users can join by invite systems only. Something The Pirate Bay is not private tracker, that's a public tracker.
So, since you don't use such sites, you don't need UPnP enabled. Turn it off, it's better for security.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Private trackers are torrent sites which are private, usually users can join by invite systems only. Something The Pirate Bay is not private tracker, that's a public tracker.
So, since you don't use such sites, you don't need UPnP enabled. Turn it off, it's better for security.
People still Torrent (leechers vs seeders)? There are literally hundreds of streaming services out available.

What do you make of this UPnP and Port Forwarding, since I need the Open NAT for online games?
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
People still Torrent (leechers vs seeders)? There are literally hundreds of streaming services out available.

What do you make of this UPnP and Port Forwarding, since I need the Open NAT for online games?
Port forwarding for game consoles is tedious, and really a pain if you have more than one. UPnP works. I don't do either right now, since most people use UPnP you can get by with a moderate NAT and still get decent matchmaking. If most people turn it off, it could cause a degradation in online play, but I don't foresee most people turning it off ever if it is on by default.
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
People still Torrent (leechers vs seeders)? There are literally hundreds of streaming services out available.

What do you make of this UPnP and Port Forwarding, since I need the Open NAT for online games?
blackice pretty much said everything. So, if any game that you're playing doesn't work properly without UPnP then keep it on otherwise turn it off.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
Port forwarding for game consoles is tedious, and really a pain if you have more than one. UPnP works. I don't do either right now, since most people use UPnP you can get by with a moderate NAT and still get decent matchmaking. If most people turn it off, it could cause a degradation in online play, but I don't foresee most people turning it off ever if it is on by default.
I'd add one more note to this. If you have a single console, port forwarding is prefereble. In fact, xboxs are very well hardened and don't respond to requests not from LIVE (supposedly). So if you have to Port Forward, it's better than allowing UPnP on the whole network. They actually can survive if you throw them into the DMZ, but I wouldn't personally do that.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top