undefined | Better HN

0 pointscassianoleal4y ago0 comments

* Scenario 1:

Malware running on your network requests port over UPnP. Router accepts it. Hacker has direct inbound access to code they control.

* Scenario 2:

Malware running on your network requests port over UPnP. Router denies it (UPnP is disabled). Malware doesn't know how to open a reverse tunnel. No inbound access.

* Scenario 3:

Same as 2, but malware sets up reverse tunnel. Hacker is in.

* Scenario 4:

Buggy and/or sloppy firmware that's not otherwise malicious requests port over UPnP even though it doesn't need to receive connections from the Internet. Router allows it. Hackers know about this slop and other CVEs on device. Network compromised.

* Scenario 5:

Same firmware from 4, but this time UPnP is disabled on router. It's safe to say this non-malicious firmware doesn't set up a reverse tunnel. No inbound access.

This is obviously a very simple threat model but from here you can see that 2 out of 5 attack scenarios would have been prevented by disabling UPnP on the router.

0 comments

IshKebab4y ago

> Malware doesn't know how to open a reverse tunnel.

So this is useful if malware authors are just incredibly dumb?

Unconvincing. The only reason to disable UPnP seems to be "it might be really buggy" but that's true of all software and we don't disable all software. Yes, security in depth but that's taking it to a ridiculous extreme.

GekkePrutser4y ago

No, the malware authors just target the least secure userbase. Because there's plenty of them to exploit. Why put in the extra work if you have plenty of weak targets?

Physical security works the same way. The point is to have better locks on your bike than the one beside it.

And opening ports reduces the need for central infrastructure for the malware makers, which leads to less chance of being discovered (no money trails etc).

PS Speaking of run of the mill malware/ransomware here obviously. If you get targeted by state actors you can kiss your ass goodbye either way :)

tjoff4y ago

No, it's insanely useful in the vast majority of cases.

By many many orders of magnitude the most common scenarios are 4 and 5.

This is not a ridiculous extreme. It is the easiest and most effective thing you could do.

j / k navigate · click thread line to collapse