Home Network Vulnerability — UPnP
by Mike Saxton, PhD
The COVID pandemic of 2020 has prompted numerous organizations to migrate employees to remote status, and we increasingly find that many of these migrations have gone from temporary to fully or partially permanent. Unfortunately, because the changes had to be implemented so quickly, certain consequences have been overlooked.
One of these is the security of home-based networks. Being aware of what our flashing devices are actually doing is more important than ever. Let’s begin by taking a look at the concept of Universal Plug and Play (UPnP).
UPnP makes it easy to connect devices to your home network and access them remotely (Margret, 2020). For example, IP cameras have become increasingly popular for home security. Many come with mobile apps that allow you to monitor the camera when you’re not home and not connected to your home network. UPnP allows the camera automatically to create an opening, or port, in your network so that the app and the device can communicate. On the back end, it’s setting up port forwarding and routing tables.
As an analogy, let’s take someone who is extremely busy and cannot handle the day-to-day cleaning and maintenance of their house. That person hires a series of contractors to do the work and gives the local locksmith permission to provide a key to any of these contractors. Here’s the catch: the contractors are not required to produce any work orders or documentation stating that they’ve actually been hired to perform the work. They just show up, say they need access, and the locksmith gives them a key. Despite the convenience to the homeowner of not constantly having to provide the locksmith with official authorization, this setup is a bad idea. Anyone who finds out about the arrangement can obtain a key to the house without being questioned.
Unfortunately, this example is effectively what UPnP does to a network. Those ports can be created by any device that requests them. The router will automatically set them up, no password or approval required. This means that an attacker can spoof a device to get access to your network, regardless of whether you are using wired or Wi-Fi. Additionally, many home routers have UPnP activated by default, which means it’s on when you first plug the router in, and you must manually shut it off.
Prior to 2020, attacks to your home network might have been somewhat less of a concern, however an increasing number of employees are now working remotely. This means that the attack surface — ways that a hacker can try to get into an organization’s network — has increased exponentially. A company that has gone from 300 on-site employees to 300 remote employees now has 300 additional locations that require some level of security. As a result, we’ve seen a massive uptick in vulnerability exploits with home networks (Muncaster, 2020).
While employers have various tools at their disposal to limit their exposure to home network infiltrations, those tools might not necessarily help the individual user. The good news is that anything UPnP can set up automatically can also be set up manually. If UPnP is deactivated, you can still set your router to allow the connection to see your IP camera, or allow those video game consoles to stream. Most items such as these have documentation that will tell you exactly what ports you need to open. There might be a bit of a learning curve, but we live in a time where the Internet of Things has produced numerous devices that connect to the Internet, each providing a third party with an opportunity for malicious access to your network.
It’s safe to say that we don’t want our home networks to turn into a hacker’s playground, but how do we address this? The first step is to dig out the log-in information to your router. Older routers have a default username and password (if you have never logged in, it will remain unchanged). If this is the case, the instruction manual will provide your log-in information, which you should immediately change. If you don’t have the manual, a search for your router brand and the model number, usually on a label on the bottom of the unit, will bring it up. Again, once you’ve logged in, you should change the default admin log-in because it’s available to anyone on the Internet!
Newer routers have a randomized log-in password that is printed on a label attached to the unit. Manufacturers started doing this because most people never change the access code from the default, and the older way of doing it led to many compromised routers. The new way provides a different code for each individual unit that is not published online.
After you’ve determined the access password, the next step is to use your web browser to access the router’s control panel. For that, you will need something called your default gateway. It’s an IP address that may look something like this: 192.168.0.1. Basically, it’s the network address of your router. If you don’t know how to find it, there’s an awesome tutorial at https://www.lifewire.com/how-to-find-your-default-gateway-ip-address-2626072.
Once you have the network address, type the default gateway into the web browser’s address bar and hit enter. You’ll be at the login screen for your router. From here, the interfaces can be very different depending on manufacturer and model, but the UPnP option is typically under something similar to “network settings” or “advanced network settings.” For specifics, you can go to the company’s website. The model number and brand name of the router should get you to where you need to go.
A word of caution: be careful what you change. Many of the settings allow for advanced configurations that you might not need. If you’re not sure what something is, don’t change it, as the names of these settings are not always intuitively clear. If you’re interested in exploring some of the basic configurations of a router, port forwarding is a good one, especially if you’re replacing the settings that were automatically put in place by UPnP. In this case, before shutting UPnP off, take note of any settings. You’ll usually see a table or chart with columns such as external port, internal port, IP address, etc. Once you’ve shut it off, you can use the port forwarding option to enter those settings manually, without leaving the door to your home network wide open.
As a final note, never be afraid to ask for help from someone who has knowledge of computer networks and settings. Another option, especially if you want to be a hands-on learner, is to look up tutorials specific to your router on YouTube. They can be helpful, and I’ll let you in on a little secret: even IT pros look things up at times.
Margret, C. (2020, May 14). What is UPnP and Why You Need to Turn it Off. FastestVPN Blog. https://fastestvpn.com/blog/what-is-upnp/
Muncaster, P. (2020, August 11). DDoS Attacks Triple in Q2 to Target COVID-19 Home Workers. Infosecurity Magazine. https://www.infosecurity-magazine.com/news/ddos-triple-q2/
Dr. Mike Saxton has been an adjunct faculty member at Goodwin for three years. He is passionate about working with adult learners and strives to develop a learning environment that fosters holistic growth for the student, not just academically. He uses his diverse professional, personal, and academic experience to offer guidance above and beyond just passing the test. Dr. Saxton encourages students to pass the test of life through both successes and learning from failures. As an instructor and mentor, he utilizes his diverse background that includes higher education, wireless technology services, information technology, and self-defense instruction. He has served in Student Affairs as an administrator, instructional faculty member, property management, business owner, database developer, network manager, and self-defense instructor. Dr. Saxton graduated Eastern Connecticut State University in 2001 and 2004 with a bachelor’s degree in Computer Science and a master’s degree in Organizational Management, respectively. He holds CompTIA A+, CompTIA Network+, CompTIA Project+, CompTIA Cloud Essentials+, CompTIA CIOS, Six Sigma Data Analytics, and Blockchain Council Blockchain Expert certifications.