Universal Plug-n-Play routers are a security issue that end-users and administrators should be or become familiar with. I was listening to the latest Security Now! security pod cast (http://www.grc.com/securitynow.htm), as discussed in my latest InfoWorld column (http://www.infoworld.com/article/06/02/17/75431_08OPsecadvise_1.html), and heard Steve Gibson's concern about UPnP-enabled routers and firewalls. UPnP- Universal Plug-n-Play routers are a security issue that end-users and administrators should be or become familiar with.I was listening to the latest Security Now! security pod cast (http://www.grc.com/securitynow.htm), as discussed in my latest InfoWorld column (http://www.infoworld.com/article/06/02/17/75431_08OPsecadvise_1.html), and heard Steve Gibson’s concern about UPnP-enabled routers and firewalls.UPnP-enabled network devices (normally home-based firewalls, routers, switches, cable modems, etc.) will automatically open up outbound and/or inbound network ports if requested by an UPnP-enabled application. For instance, a user installs a P2P chat application. It can open up the necessary ports in a user’s host-based firewall or hardware network device in order to allow it’s P2P functionality to work. It does this during the installation of the program and usually without notification to the user. As readers of my past rant against Microsoft’s OneCare service will remember, I’m not a fan of anything that automatically circumvents user-established firewall policy without notification.UPnP devices have been around for a few years now. A non-inclusive list of routers and NAT devices that support UPnP is http://www.dslreports.com/faq/5310. As you can see, even this small list displays some of the most world’s most popular home-based routers and host-based firewalls.As Steve Gibson pointed out in his podcast, it isn’t too far fetched to believe that malware may someday implement UPnP coding to circumvent firewalls.Readers of this column should be familiar with UPnP-based network and firewall devices. Make sure any UPnP-based functionality is disabled in any device you buy, unless you want to manage the inherent risk. Related content analysis The 5 types of cyber attack you're most likely to face Don't be distracted by the exploit of the week. Invest your time and money defending against the threats you're apt to confront By Roger Grimes Aug 21, 2017 7 mins Phishing Malware Social Engineering analysis 'Jump boxes' and SAWs improve security, if you set them up right Organizations consistently and reliably using one or both of these approaches have far less risk than those that do not. By Roger Grimes Jul 26, 2017 13 mins Authentication Access Control Data and Information Security analysis Attention, 'red team' hackers: Stay on target You hire elite hackers to break your defenses and expose vulnerabilities -- not to be distracted by the pursuit of obscure flaws By Roger Grimes Dec 08, 2015 4 mins Hacking Data and Information Security Network Security analysis 4 do's and don'ts for safer holiday computing It's the season for scams, hacks, and malware attacks. But contrary to what you've heard, you can avoid being a victim pretty easily By Roger Grimes Dec 01, 2015 4 mins Phishing Malware Patch Management Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe