Filet-o-Firewall: new vulnerabilities in UPnP expose the whole network

Routers are again becoming a source of cyberthreats as a new batch of security vulnerabilities in UPnP were publicized earlier this month.

Routers are again becoming a source of cyberthreats as a new batch of security vulnerabilities in UPnP were publicized earlier this month. UPnP is a set of networking protocols widely used in home routers. Its purpose is to automatically discover devices on a network and interact with them.

New vulnerabilities are reported to allow for an attack that takes less than 20 seconds; any router running UPnP is at risk, researchers said.


The new set of flaws received a somewhat funny name “Filet-o-Firewall”. What it allows is not funny: according to Threatpost, “it combines a number of vulnerabilities and weaknesses in routing protocols and browsers, conspiring to expose networked devices behind a firewall to the open Internet.”

Essentially, the attack requires a specially crafted website that may cause a user who is running Chrome or Firefox browsers with JavaScript enabled to make arbitrary UPnP requests to their firewall, exposing any or even all devices behind a user’s firewall directly to the Internet. It would, however, require additional effort to “excavate” any data of interest to the hacker, but in case he or she is experienced enough, it’s not rocket science to do that.

Making users with a JavaScript-enabled browser visit an attacker’s website is a relatively easy endeavor, too.

It is important to mention that the vulnerability is reported to be “logic-based”: “It does not reside in a specific piece of code. It is a result of many different attacks combined into one and designed to target the UPnP service on home routers”.

An important note from CERT

CERT’s advisory says the main problem is that home routers implementing the UPnP protocol don’t sufficiently randomize UUIDs in UPnP control URLs, or implement other UPnP security measures.

UPnP protocol, CERT note reads, “was originally designed with the threat model of being on a private network (not available to the WAN) restricted to only authorized users, and therefore does not by default implement authentication.”

A big mistake. Later, there was a UPnP Security standard developed, but its support and deployment were “extremely limited”. The reason: “cumbersome user experience” and “lack of industry buy-in of advanced features such as Public Key Infrastructure”.

Let us read more: “Poor adoption of the security standard may broadly open up opportunities for an attacker with private network access to guess the UPnP Control URLs for many devices currently on the market. If the guess is correct, the attacker may utilize UPnP to make changes to the home router’s configuration such as opening ports and enabling services that allow an attacker further access to the network.”

And since many manufacturers use the standardized UPnP Control URL names a correct guess is very likely.

In a case of success, an attack can open firewall ports and issue administrative commands on a router.

Not the first time

It’s not the first time UPnP was the cause of severe headaches. Back in 2013, researchers took a look at the overall security status of the UPnP-enabled devices and discovered that of the 80 million devices responding to UPnP requests on the Web, up to 50 million were vulnerable to various attacks.

Basically, UPnP is a security deficiency on its own.

Fix by amputation

There is no cure for the problem as of now; no full solution, only workarounds including the hard ones: Consider disabling UPnP services completely, unless they are absolutely necessary. Randomizing UPnP UUID and URLs would help, too.

Home routers are occasionally used by small businesses and home offices, so it is recommended to pay attention to both the problem and its workarounds.

The list of affected devices is assembled here; it is further recommended to employ additional protection tools such as Kaspersky Small Office Security to protect the network from attacks.