Is UPnP safe? A guide to the risks and how to disable it

UPnP, short for Universal Plug and Play, is a networking protocol that enables devices such as computers, smart TVs, and printers to find and communicate with each other over a network easily. One of UPnP’s main benefits is that it facilitates activities such as online gaming, streaming, and file sharing without requiring any technical setup.

Although UPnP is convenient, it also introduces potential security risks. The protocol automatically opens network ports without requiring authentication, which can potentially expose devices to vulnerabilities. This is particularly the case if it’s misconfigured or if it’s otherwise exploited by malware. We’ll take a closer look at the risks of UPnP and what you can do to safely protect your network.

What is UPnP?

Universal Plug and Play (UPnP) is a networking protocol that allows devices on the same network to discover each other and communicate automatically, removing the need for complicated network configurations. Instead, devices such as computers, smart TVs, gaming consoles, printers, and streaming boxes connect and easily share information.

For example, if you connect a new gaming console to your home network, UPnP can automatically open the ports it needs to support multiplayer gaming. You’re not required to log in to your router or to otherwise change settings manually. Similarly, UPnP allows a Smart TV to find and stream media from a computer on the same network.

UPnP makes setting up and using network-connected devices quicker and easier, especially if you’re not particularly tech-savvy.

UPnP use cases

• Online gaming: Consoles like Xbox and PlayStation use UPnP to automatically open the ports required for multiplayer gaming as well as voice chat. This helps improve NAT type and connection quality without requiring manual configuration.
• Media streaming: Media servers such as Plex and Kodi use UPnP to stream video and audio content to Smart TVs, streaming sticks, or other devices on the same network.
• Smart home devices: Smart devices at home, like security cameras and speakers, use UPnP to register themselves on a network. They sometimes request port forwarding for remote access features.
• Peer-to-peer applications: BitTorrent clients and other file-sharing tools often use UPnP to automatically open ports. Allowing more direct peer connections improves upload and download performance.
• Remote access and management: Some remote desktop and networking tools use UPnP to make internal services accessible over the internet. For example, an IP camera feed when away from home.

How does UPnP work?

UPnP enables devices on the same local network to discover and establish connections with each other automatically. This eliminates the requirement for a potentially complicated and lengthy manual setup, particularly if you’re not tech-savvy.

When a device such as a game console that has UPnP enabled joins a network, it broadcasts a discovery message using SSDP (Simple Service Discovery Protocol), announcing its presence. Other devices or the router detect the message and respond. If a device needs to open a port to the outside world – to receive incoming multiplayer connections, for example – it follows these steps:

1. Discovery: When a device joins the network and receives an IP address via DHCP, it sends a broadcast message to locate UPnP-enabled devices, such as the router.
2. Description: The router responds with a URL pointing to an XML “device description” file. This file, which is accessible over HTTP, contains details about the device’s capabilities and its available services.
3. Control: Using HTTP, the client, such as a game console, sends a SOAP (Simple Object Access Protocol) message to a specified control URL. The message may include a command like “open TCP port 3074 for this internal IP”.
4. Action: If the request is accepted, the router dynamically updates its NAT table and forwards the requested port to the device with no user input required.

Is UPnP safe?

Despite the high level of convenience offered by UPnP in making connecting devices that much easier, there are some security-related problems to keep in mind. One of the main issues with UPnP is that it automatically trusts any device within your network.

If a device inside your network is compromised – for example, a laptop getting a virus or a smart device getting hacked – it could take advantage of UPnP and open ports on your router without your knowledge. These open ports are much like open doors in that they can potentially expose your network to attacks from the outside.

Another concern in relation to UPnP is that some routers are poorly configured. This results in them unintentionally revealing their UPnP services to the internet. As a result, hackers could then remotely interact with the router and open up ports to then access devices inside your home network.

Fortunately, modern routers have sufficient security to protect against the above risks. Provided your network is well secured and your router’s firmware is up-to-date, the risk is lower – particularly if it’s correctly restricted to the local network only.

History of UPnP vulnerabilities

An open trust model and lack of authentication mean UPnP isn’t without security concerns.

In 2013, security firm Rapid7 released a whitepaper titled Security Flaws in Universal Plug and Play. It revealed that over 80 million routers were vulnerable due to flaws in their UPnP implementations. The problem stemmed from routers exposing UPnP functionality on the WAN side, allowing attackers to control port forwarding remotely.

Another major vulnerability called CallStranger emerged in 2020. This exploited a flaw in the way UPnP devices handle notifications. Attackers could then exfiltrate data, scan internal networks, and launch DDoS attacks.

How to disable UPnP

Disabling UPnP on your router is simple enough and can help improve your network security. Of course, consider this only if you don’t need it.

Here’s how to disable UPnP:

1. Start by accessing your router’s admin page. To do this, open your web browser and enter your router’s IP address in the address bar. If you’re unsure of your router’s IP address, you can usually find it on a sticker on your router. Alternatively, you can use our handy IP address check tool.
2. You’ll then need to log in by entering your username and password. Provided you haven’t changed them, the default login details should be on the router itself.
3. Find the UPnP settings. You may need to navigate the menu to find them under a section such as “Advanced Settings”, “NAT forwarding”, or “Network Settings”.
4. Turn off UPnP by toggling the switch or box under the relevant setting.
5. After disabling UPnP, make sure you save the settings. You may need to manually restart your router for changes to take effect.

UPnP FAQs