As the world’s various media outlets start talking breathlessly about how dangerous UPNP is anyone who has talked to me(every one of my clients knows about this) I’ve always maintained UPNP was a huge security hole. I’ve seen Microsoft among others talk about how it’s not a security threat to allow something inside your network to automatically open holes into your firewall without the network admin’s knowledge. me and others(like Stever Gibson0 have been vindicated once again. UPNP has ALWAYS been a a hackers dream…it just took someone a while to prove to the rest of the world what the security guys have been saying base on common sense for years now. Everyone NEEDS to test their routers now. You can do it here. if you fail the test please contact ECC immediately. Sophos explains the danger in this blog post.
Tens of millions of network-enabled devices including routers, printers, media servers, IP cameras, smart TVs and more can be attacked over the Internet because of dangerous flaws in their implementation of the UPnP Universal Plug and Play protocol standard, security researchers from Rapid7 said Tuesday in a research paper.UPnP allows networked devices to discover each other and automatically establish working configurations that enable data sharing, media streaming, media playback control and other services. In one common scenario a file-sharing application running on a computer can tell a router via UPnP to open a specific port and map it to the computer’s local network address in order to open its file-sharing service to Internet users.UPnP is intended to be used primarily inside local networks. However, security researchers from Rapid7 found over 80 million unique public IP Internet Protocol addresses that responded to UPnP discovery requests over the Internet, during scans performed last year from June to November.
via Researcher: UPnP flaws expose millions of networked devices to remote attacks | PCWorld.