Quick Links
UPnP comes enabled by default on many new routers.
At one point, the FBI and other security experts recommended disabling UPnP for security reasons.
But how secure is UPnP today?
Are we trading security for convenience when using UPnP?
UPnP stands for Universal Plug and Play.
If malware not being able to forward ports is important to you, youll want to disable UPnP.
This bug was fixed by a security patch.
TheFlash UPnP Attackwas discovered in 2008.
Port forwarding would be the least of your worries a malicious DNS server could redirect traffic to other websites.
Is This a Problem?
Yes.I cant find any sort of indication that this was ever fixed.
These arent necessarily problems with UPnP itself; theyre often problems with UPnP implementations.
For example, many routers UPnP implementations dont check input properly.
On some Linux-based routers, its possible to exploit UPnP to run commands on the router.
(Source) The website lists many other such problems.
Is This a Problem?
Yes!Millions of routers in the wild are vulnerable.
Many router manufacturers havent done a good job of securing their UPnP implementations.
Image Credit:Ben Mason on Flickr
Should You Disable UPnP?
Unfortunately, it does appear that UPnP has a lot of problems.
you might still forward ports without UPnP; its just a bit more work.
Check outour guide to port forwarding.
Consult your routers manual for more information.
