It’s been known for a long time that the plug and play features in most internet routers are a security risk. The general advice has been to turn it off in the settings, but most games machines use the feature to punch a hole through the firewall built into the router. For those people who really need it, the advice has been to use a second router (via DMZ) to connect games machines to the internet. But plug and play was only supposed to allow control of the firewall from inside the local network.
But now all that has changed!
I group of researchers at Rapid7 have written a white paper describing how they scanned the internet for routers and found that 2.2% of all addresses scanned had the plug and play functionality of the router expose to the outside world. This means that ANYONE can circumvent the routers firewall, get into the home or business network and start attacking the systems inside. This is a VERY bad thing! Worst still, even if you turn off plug and play in the router settings it still remains on to the outside world.
The problem has been caused by errors in some standard software libraries (libupnp) and bad implementation of the software by router manufacturers. It seems to be a problem in older router models from ALL manufacturers.
So what can you do?
The first thing you need to do is find out if your router has the vulnerability. Rapid7 have come up with a web tool to find the problem for you: Click here to run it.
My router failed the test. What should I do now?
You have two possible options:
- Check your router manufacturers website to see if there is a firmware update. The problem in the software was fixed some time ago and the manufacturer may have produced an update. Follow your routers instructions to install the update and then test it again with the link above.
- If that fails, get a new router. If it’s still under warranty, take it back to the vendor and demand a replacement. Your router is not fit for the purpose it was sold and your statutory rights may still cover it if the warranty has expired. Don’t forget to test your new router after installing it.
If you have any questions or need more information, please leave a comment.