The Road To Hell Is Paved With Good Intentions (Disable UPnP on your home network)

stairs pexels-photo-718002.jpeg

Universal Plug and Play (UPnP), a feature of most home networks, is bad, and should be turned off.  If you know what UPnP is, understand why it is very dangerous to allow it to be used, and have already disabled it your home network, your parent’s home network, and your non-techie friend’s home network, then stop reading, grab your favorite beverage and relax.

Everyone else: If you have any interest in keeping your home network secure, especially your home automation devices, stop everything and read this through to the end.  You can skip over the techie or boring parts, but please read enough to understand the risks, the simple things you can do to be safe, and tell your friends.

Network Security Doesn’t Have to Be Obtuse
Unfortunately we read a lot about network security problems and the risk of home computer networks without any specific actionable advice.  The writer or blogger will alarm us with stories of woe - criminals stealing identities, hackers remotely controlling baby cams, or stealing huge amounts of data from our computers.

After spreading this fear, the writer merely offers prosaic formulaic advice - don’t write your password on a sticky stuck to your computer screen; use complicated passwords that aren’t easily guessed; keep a backup of all your data, etc.

If they don’t offer simplistic advice, they often go the other way - telling us how complicated and confusing computers and networks have become and that we must consult an expensive security expert or risk losing everything.  Again, scaring everyone without any practical examples of what can be done to increase the security of our computers and network.

The journey of a thousand miles begins with one step
This famous quote by Lao Tzu is applicable to computer and network security.  Security solutions are complicated, but if you approach it one step at a time, you can make significant progress.  I’m going to describe a specific high-risk home network problem that is generally overlooked.  If you implement the changes I suggest, you will be taking a step or two towards better network security.  It will not be the only thing you need to do and it won’t make you invincible, but it is a specific action you can take that will make a difference.

What is Universal Plug and Play (UPnP)
UPnP is a software protocol (set of rules) widely used on home networks first established in 2008.  UPnP attempted to solve the problem of configuration and setup of devices on local area networks - specifically home networks.  When you mix computers, phones, printers, scanners, and other devices on a computer network, it is complicated to get everything setup properly and to have all the devices communicating with each other.  

At a high level, UPnP is a set of standards to allow devices to configure themselves automatically, advertise what services they provide to everyone else on the network, and establish connections, as needed, to other devices.  Imagine if you walked into a restaurant and there was simply a crowd of people.  You couldn’t tell who was a customer, who where the waiters, the chef, or the busboy.  Just  a crowd of people with no organization or coordination. 

UPnP would be a way for each person to identify their role (“I’m a customer”, “I’m a chef”, “I’m a busboy”) and uniquely identify their location (“I’m sitting at table 27”, “I’m working the grill”).  Then UPnP would allow communications channels to be established so customers could get menus from the waiters and the waiters could place food orders with the chef, etc.

Why Is UPnP A Problem?
UPnP was originally designed only to work within the local network in your home, but it was sloppily enhanced to facilitate communications over the Internet.  Occasionally a local device needs to allow incoming access to itself from a person or device located outside the local network.  For security reasons, this is normally not allowed.  The router/firewall on your home network only allows devices inside to access the Internet but doesn’t allow devices outside your home to come into your network.

So to override this and allow incoming access, the local device has to first make an outbound connection and ask your router to allow the incoming connection. This gets complicated quickly, so I’m going to use a simplified example to try and make it simpler.  Please understand this isn’t exactly how it works, but it should be enough to explain what is going on.

Think of your home network like a secure fortress with only one way in or out - the front door.  That door is guarded by your Wi-Fi router/firewall.  In order to get into your house, the router has to open the front door - no one else can do it.  The device that wants to let someone come in to your house (remote access from the Internet) uses UPnP to ask the router to automatically open the front door.  The router will always obey a UPnP request and open the door.

What’s The Problem?
The problem is there is no identification needed.  The router receives a command from another device inside your home network and trusts that the device is legit and always opens the door without any questions. This is the security hole - malicious software such as a computer virus or malware that infects your computer can take control of a device on your own network.  This malware then asks the router/gateway to open the door to let its criminal friends come in the “front door”, and the router obeys.

Easy Solution - Lock the Front Door
The simplest solution is to simply bolt the front door.  Almost every modern Wi-Fi router has a setting that allows you to disable Universal Plug and Play.  When you turn off UPnP, the router simply ignores all requests from any devices on your local network to unlock and open the front door.  The requests are ignored and the door stays shut to unwanted incoming visitors.

This works, but it also blocks all incoming remote access.  There are many legitimate uses for incoming remote access.  In home automation, one of the common uses is to view the live video stream from your security camera.  Another typical use is to “dial in” to your home computer when you are away and want to retrieve some important files or operate your home automation system from afar.

How To Allow Limited Remote Access
The solution is to go “old school” and use the manual configuration procedure that existed before UPnP made it easy and automatic. Using a configuration option in your router, you have to identify which device needs remote access and manually change the configuration to allow that particular device to have remote access.  In technical terms, this is called “port forwarding” and you will specify the local device (by listing its IP address) and the door that will be used (the TCP/IP or UDP “port”).

Just about every router nowadays supports manually configuring port forwarding.  The specific steps are different for each brand of router, but the concept is the same.  For help with configuring your own router, the following website provides a list of many popular routers and the specific instructions you will need:  www.portforward.com

Is It Safe?
This is a permanent setting so you will be allowing that particular device to have incoming remote access whenever it likes.  By doing this you are limiting remote access to only that device.  Only that device will be allowed incoming access.  A typical home network might have between 5 and 10 devices (when you count all the smartphones, tablets, smart TV’s, computers, laptops, etc.) and the count can easily be 50 to 100 when you add home automation and larger houses.  By manually configuring port forwarding only for the devices that truly need it, you reduce the potential devices that can be attacked to gain a remote door from 50 or 100 down to 1 or 2.  (In computer security lingo, this is called “reducing the attack surface”.)

An Even Better Solution
Disabling UPnP and manually configuring port forwarding when needed is a straightforward security step that you can do now.  If you want to up your game even more, consider completely disabling all port forwarding and use a newer technology called a virtual private network (VPN).  Incoming VPN’s are a lot more secure way to provide remote access to your network. 

Adding an incoming VPN to your home network can be a bit more complicated.  You might need to replace your router with a more advanced and more powerful model. Then you need to configure the VPN software which can be confusing.

For my clients that are interested in implementing an incoming VPN, I recommend using the Synology RT2600AC Router.  This router is affordable for home/consumer use, has very high performance, and setting up a VPN is straightforward and doable if you carefully follow the step by step instructions.

What are you doing about home network security?  Will you disable UPnP on your network?  Let me know what you think.