cancel
Showing results for 
Search instead for 
Did you mean: 

UPNP Extended Security

fydrenak
Hooked
Posts: 7
Registered: 2 weeks ago

UPNP Extended Security

Hi all, I am developing an application which uses UPNP to create peer to peer connections through NAT. I have had no issues with several routers using SSDP multicast to discover UPNP devices on the local network. However my Plusnet Hub One seems to not respond to the multicast requests. It does however respond to a unicast message sent straight to the router, but this is inadequate for my use as I want to find all devices on the network. Does anybody know on a low level what UPNP Extended Security actually does, and if it could be the source of this problem?

Thank you.

13 REPLIES 13
7up
Community Veteran
Posts: 15,331
Thanks: 1,150
Fixes: 14
Registered: ‎01-08-2007

Re: UPNP Extended Security

You're new here and your first post is asking for information that would help you circumvent the plusnet router security!

You don't really expect help on this do you?

I need a new signature... i'm bored of the old one!
fydrenak
Hooked
Posts: 7
Registered: 2 weeks ago

Re: UPNP Extended Security

That's quite a hostile response but I will ignore it as my intentions are not as you imply.

 

Quite the opposite, I would like to understand this feature so I can ensure my program functions correctly for users that have this security feature enabled. If the feature makes what I'm trying to do impossible, then I will make no efforts to circumvent it. I simply want to understand it to make sure I'm not making an error.

dvorak
Moderator
Moderator
Posts: 24,780
Thanks: 4,479
Fixes: 1,136
Registered: ‎11-01-2008

Re: UPNP Extended Security

I doubt you will find the answers here, perhaps try reddit.
Or your own ISP forums, if you're not a PN customer.
Customer / Moderator
If it helped click the thumb
If it fixed it click 'This fixed my problem'
7up
Community Veteran
Posts: 15,331
Thanks: 1,150
Fixes: 14
Registered: ‎01-08-2007

Re: UPNP Extended Security


@fydrenak wrote:

That's quite a hostile response but I will ignore it as my intentions are not as you imply.

 

Quite the opposite, I would like to understand this feature so I can ensure my program functions correctly for users that have this security feature enabled. If the feature makes what I'm trying to do impossible, then I will make no efforts to circumvent it. I simply want to understand it to make sure I'm not making an error.


Well consider this, you've turned up on the plusnet forum talking about a plusnet hub one and wanting to know how to get around it's upnp limitations from a security perspective.

That's like turning up on a van forum saying you've locked yourself out of your van and need help getting back into it - nobody will assist you.

Even if you are legit plusnet don't make any technical details about their router available to us.

I need a new signature... i'm bored of the old one!
Mook
Aspiring Champion
Posts: 716
Thanks: 498
Fixes: 1
Registered: ‎27-12-2019

Re: UPNP Extended Security

@fydrenak - You refer to UPNP as a security feature when it has more holes than a sieve! 

fydrenak
Hooked
Posts: 7
Registered: 2 weeks ago

Re: UPNP Extended Security

@7up The inaccurate simile is wholly unnecessary. I have never once asked how to 'get around' any 'upnp limitations'. As I said before; I have no intention of circumventing anything, I merely want to understand what the limitations are so I know what is possible to do legitimately. I am not interested in any hacks or workarounds, I just want to know what this option on my router actually does.

I would greatly appreciate it if the contents of my question were focused on instead of making baseless judgements about me personally. That makes for a pretty toxic way to welcome new members of the forum.

The final line in your reply is the only constructive one, but I at least thank you for it. I assumed that all the settings users can control on the router are documented somewhere, else how are consumers expected to decide whether or not to enable/disable the feature without knowledge of what it does? That is the only level of information I am looking for.

fydrenak
Hooked
Posts: 7
Registered: 2 weeks ago

Re: UPNP Extended Security

@dvorak Thank you, I might try Reddit as well but I generally try to avoid it. For what it's worth, I am a Plusnet customer. The only reason I have access to multiple brands' routers is that I switch between multiple places of living fairly frequently, and I have asked some of those around me to test my program and send me the response.

Mook
Aspiring Champion
Posts: 716
Thanks: 498
Fixes: 1
Registered: ‎27-12-2019

Re: UPNP Extended Security

@fydrenak  I assume you've read the RFC for this:

https://tools.ietf.org/html/rfc6970

This will explain everything you need to know.

fydrenak
Hooked
Posts: 7
Registered: 2 weeks ago

Re: UPNP Extended Security

@Mook I never referred to UPNP itself as a security feature, but to 'UPNP Extended Security' as it is written in the router settings, which I think can safely be called a security feature. UPNP could be considered a security risk but the fact is sometimes people want to build peer to peer networks with a 'plug and play' client. Expecting your average consumer to find their local IP, keep it static, and manually port forward is a bit much. Also, assuming UPNP is configurable only from the LAN, if you have malicious code that would use UPNP you have far bigger problems and UPNP being enabled. And disabling it likely stops absolutely nothing. Evidently the industry agrees with me as people have been trying to call it insecure for years but it is still very widely used.

If you think there is something I have not considered in my security assessment of UPNP I welcome the information.

Mook
Aspiring Champion
Posts: 716
Thanks: 498
Fixes: 1
Registered: ‎27-12-2019

Re: UPNP Extended Security

I'd hardly call quoting 'UPNP Extended Security' a security assessment but each to their own I guess. To be honest I don't use the Plusnet Router so I don't know in what context the aforementioned quote actually refers to so I will say no more but I do recommend you read the RFC, it will be time well spent.

 

fydrenak
Hooked
Posts: 7
Registered: 2 weeks ago

Re: UPNP Extended Security

@Mook Thank you for that link, I have been working from the specification of UPNP device architecture specification (http://upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf) when building my implementation. I admit to not being familiar with the PCP IWF. Is this what is expected to be used by modern applications?

fydrenak
Hooked
Posts: 7
Registered: 2 weeks ago

Re: UPNP Extended Security

@Mook My assessment is what I outlined in why I think UPNP is not too insecure for use in modern applications. I reviewed what it enables and I don't think it allows an attacker to do much more than they would be able to do anyway given that they're inside the network. The quote of the name was my response to the comment that i called UPNP itself a security feature.

Mook
Aspiring Champion
Posts: 716
Thanks: 498
Fixes: 1
Registered: ‎27-12-2019

Re: UPNP Extended Security

It's always been my understanding that an RFC is the defacto standard for this kind of thing and when I've had to deal with protocols this is my first port of call.

But UPnP is bad news, do a search of the CVE site using UPNP and you'll get an idea.