Although there have been fundamental problems & security issues with UPnP for over a decade, those are small potatoes compared to this new UPnP security flaw reported at the end of January 2013. UPnP has always been assumed to be applicable only to the LAN-side of your router (i.e., your home network). This new flaw effects the WAN-side of your router, meaning someone on the internet can easily use UPnP to exploit your router & network. Approximately 6,900 products (including popular routers) from over 1500 vendors are susceptible to this UPnP vulnerably. Rapid7 is credited with the discovery of the UPnP security flaw and they strongly recommend disabling UPnP on all internet-facing systems & replacing routers that do not provide the ability to disable this protocol. They’ve produced a whitepaper on this security flaw here. An extensive list of the vulnerable routers is posted here.
If you haven’t done so already, I strongly recommend you test your router for the presence of this vulnerability. Over 81 million individual routers were discovered to be vulnerable as of January 30th, 2013. Steve Gibson of Gibson Research Corporation (grc.com) has added a vulnerability test on his “ShieldsUP!” web page located here. Just click on the “Proceed” button, followed by clicking on “GRC’s Instant UPnP Exposure Test.”
In addition, Steve Gibson & Leo Laporte have a detailed discussion of the UPnP Security Flaw in their Security Now podcast, Episode #389. You can find the audio, pdf and html files for this podcast on the “Security Now” homepage.
Here’s hopin’ that your router passes the vulnerability test!