Back to Networking
UPnP Security
Risks and recommendations
Security Recommendation
UPnP should be disabled on enterprise and most home networks. It allows any device to open firewall ports without authentication.
What is UPnP?
Universal Plug and Play (UPnP) is a protocol that allows devices to automatically discover each other and open ports on routers/firewalls.
Common Uses
- * Gaming consoles (Xbox, PlayStation) for multiplayer
- * VoIP phones and video conferencing
- * Media streaming devices
- * BitTorrent clients
- * Smart home devices
Security Risks
Why UPnP is Dangerous
- No authentication:
Any device on the network can request port forwards
- Malware abuse:
Trojans use UPnP to open backdoors through firewalls
- Amplification attacks:
Can be used for DDoS reflection
- Information disclosure:
Reveals internal network topology
Real-World Exploits
- * Mirai botnet exploited UPnP vulnerabilities
- * Flash UPnP attacks from browser JavaScript
- * Router vulnerabilities exposed via UPnP
Recommendations
Enterprise Networks
- ✕Disable UPnP completely on all firewalls
- ✓Use manual port forwards for required services
- ✓Document all open ports and their purpose
- ✓Use VPN for remote access instead of port forwards
Home Networks
- !Disable if possible; manually forward needed ports
- !If required for gaming, isolate IoT devices on separate VLAN
- ✓Keep router firmware updated
- ✓Regularly audit open ports
Disabling UPnP
Common Locations
| Device | Setting Location |
|---|---|
| WatchGuard | Policy Manager > Setup > Feature Keys (not supported) |
| pfSense | Services > UPnP & NAT-PMP > Disable |
| Consumer routers | Usually under WAN, NAT, or Advanced settings |
| UniFi | Settings > Internet > WAN > Disable UPnP |
Alternatives to UPnP
- Manual port forwarding:
Configure specific ports for specific devices
- VPN access:
Connect to home network securely from outside
- Cloud relay services:
Many IoT devices work without port forwards
- DMZ for gaming:
Last resort - exposes device fully to internet