UPnP epitomises the challenge in balancing convenience and immediate gratification with security and control.



Description of the risk

UPnP ("Universal Plug and Play") is a network protocol (technically it's a number of protocols) that facilitates networked devices to be able to see and communicate with each other automatically and without human intervention. Originally conceived well over a decade ago and specifically for use within a LAN ("Local Area Network"), where the underlying expectation exists that the LAN is secure, many hundreds of IT vendors got together and worked out the nuts and bolts to create the open-standards protocol that is now named UPnP. Everyone was happy and the world was good.

For example:

- Personal computers could see printers - all you had to do was plug them both into the LAN and they would discover and communicate with each other (hence "plug and play")

- Smart devices such as tablets and phones could see all the available WiFi networks - to connect you just needed the password



The convenience, as seems to happen with increasing frequency these days as Gen Y-er’s and Gen Z-er’s influence over decision making increases, was intoxicating. Most anything and everything that could utilise UPnP did. UPnP-enabled devices could automatically join in on a network and connect to other devices. It was beyond convenient - it was easy and automatic. Everyone was happy and the world was good.

For example:

- Your refrigerator could send information to your smartphone - so you didn't need to check the fridge to see if you needed to buy milk on the way home

- You could control your air conditioner from your tablet - which is much cooler that using a remote control

- You could listen to your music play list on multiple speakers through your home or connect your TV to a surround sound system - all wirelessly



Then some genius decided that it would be a smart idea to extend that automated capability outside of the LAN. It's impossible to know whether this next step was pushed by Internet router vendors or by the IoT ("Internet of Things") vendors or others, but it happened and it happened broadly and quickly.

Today, devices on the Internet can scan for UPnP devices on your assumed-to-be secure LAN if your router has UPnP enabled, which many if not most home and small office routers do by default. As a result, the devices on the internet can freely communicate with the devices on the LAN and will do so automatically, without any intervention from you, without every reporting the activity to you and without you have any control over what communications and actions are taking place. Not everyone was happy and many of us who have a tendency towards network security could see that the world just became a little less good.



Just in order to try to be clear about the concern/risk:

UPnP was first developed to allow known and trusted devices to quickly and easily communicate with each other inside a controlled and trusted environment without you needing to undertake any noteworthy configuration of either of them.

Today, UPnP is extensively and usually unwittingly used to allow a known and trusted device to quickly and easily communicate with unknown and foolish-to-trust devices on the completely-untrustworthy Internet and, if you’re set up to use it, those unknown and impossible-to-trust devices on the Internet are able to communicate however they want. You have no control over it, you won’t even know it is happening.



What should you do about it?

First, understand that when it comes to all things IT, almost every time that something is made easier and more convenient, it is also being made less secure.

Second, acknowledge that IT vendors are trying to make their things as easy as possible for people to use, because it means more people will buy them.

Third, concede that IT and particularly IT security, is a skillset that is learned, honed and developed over time. Professionals work in this space (where knowledge and experience in IT security is required) and this space is getting bigger every time some new, more convenient thing comes out.

Finally, turn off UPnP on your Internet router (which could temporarily break communications for various of your things) and, in preference, establish static network address translation (“NAT”) firewall rules instead. These rules that determine what types of communications should be allowed to pass through a firewall, by whom and under what conditions, should be as restrictive as possible. The more inconvenient, the more secure!

Restrictive does not mean unable to be used – restrictive means opening up only the smallest keyhole in your firewall security to allow communications that you know to occur between devices that you know. Restrictive means re-taking control.



Parting thought ... for you to ponder

The continual evolution of technology and emergence of new technology (reality check - for all practical purposes the Internet didn’t even exist until the 1990s) brings many benefit and opportunities. It also brings an equivalent number of challenges.

I don’t generally agree with the idea that new technologies are conceived with bad intentions. I absolutely do agree that bad people identify ways to exploit good things.

The security of everything relating to your use of technology is something that should be carefully considered and tightly controlled.

Anyone and everyone that ignores or neglects security in favour of immediate gratification will, sooner than later, pay a hefty price for that erroneous decision.