App to Test UPnP for External Discoverability

As much as I would like to recommend simply disabling UPnP and be done with it, there is no complete replacement, from what I can gather, in terms of day-to-day home network environment. It warrants a separate write-up, but long story short, on IPv4 with NAT, there is no theoretical replacement for UPnP yet.

With UPnP, modern devices and services are using the ports more dynamically. Services are no longer constricted to using one or two ports. They automatically choose one from wide array of ports, and there are bound to be sizable overlap between different services. On top of that, port forwarding to a single address when the likelihood of identical devices is increasing (e.g. multiple IoT devices in the same network) also make managing static setup untenable. Imagine if you have to explain all that to average users who prefer ‘buy-and-forget’ type of a router. It’s more practical to convince users to buy more secure router than to do all that.

This is where GRC’s ShieldsUP! comes into play. It checks the infamous vulnerability in UPnP where a router may respond from outside UPnP queries —it shouldn’t. The site itself is full of resources, and even in the result page, it explains the details of what it has found on your network setup. It’s a useful resource for anyone who wants to check if their router is up to date —which, by the way, means you should have kept your router firmware up to date as well.

Side note, this whole shenanigans behind UPnP, if I understood what I read correctly, are mostly from the slow adaptation of IPv6. The problem began with NAT and can only be resolved by rooting it out. There is still an issue of the firewall, but it was an unintended consequences of being unreachable behind IPv4 NAT. With IPv6, we won’t need routers handing out ports to devices as each device would have a public address. It is a messy fix to a messy problem. I believe it would be worthwhile to find out the hidden cost of operating IPv4, the network overhead and the hardware costs to keep the limited protocol functional.

Leave a comment