If you’ve already disabled UPnP in your home router and its cousin NAT-PMP, consider yourself ahead of the curve. For the rest of you who are blissfully unaware that UPnP exists and is likely enabled on your home network, it’s time to get educated. Universal Plug and Play, aka UPnP, is a collection of technologies that work together to enable zero-configuration for your networked devices and services, which sounds great until you realize that this happens without asking for permission from the user or even notifying them that it’s going to happen.
This lets you do things like play multiplayer games without a centralized server, so the game punches a hole through your firewall to receive connections when necessary. It also simplifies network discovery, so your laptop can see your networked printer, for example. But it was never designed to be used on the open internet. At inception, it was to simplify the complicated processes for setting up your home network, which would have been fine if it had stayed that way. But eventually, manufacturers decided it was a good idea to let things open ports on your firewall without authentication, and that’s the mess we’re in now, and the main reason you should turn it off.
It’s a massive security risk
No, really it is, and in so many ways
Modern network security has moved to a zero-trust model where every individual app, device, and user needs to authenticate to access other services. This is optimal for keeping safe online, and it’s a very good thing indeed, even if it does have a minor inconvenience here and there.
UPnP, on the other hand, is a product of a different era of networking, where the engineers in charge knew that to enable widespread internet adoption, some shortcuts needed to be made to reduce the setup friction. One of those shortcuts was to enable UPnP to open ports through your firewall without any authentication, which is a little like opening your front door to anyone who knocks without looking first. There are ways to secure UPnP, but these aren’t used often in practice, as they mean additional development costs.
In 2020, the CallStranger vulnerability was disclosed. Unlike many security vulnerabilities that only affect specific manufacturers or devices, CallStranger is a protocol vulnerability that affects every UPnP device. It allows an attacker outside your home network to use any Internet-facing UPnP device to scan your home network for internal ports, carry out amplified DDoS attacks, and bypass network security devices to siphon off your private data. In short, it’s bad, and UPnP is the lever that enables it.
This is only the latest in a long line of UPnP vulnerabilities, and some would argue that the protocol itself is a vulnerability because of the lack of authentication methods. It’s best not to use it at all on your home network. The list of issues far outweighs the slim benefits.
Your consoles don’t need it for multiplayer (mostly)
With a few exceptions this generation of consoles has moved on to newer technologies
Console gaming has long relied on UPnP to connect players in online multiplayer matches to one another, as the industry moved from a server-client model to peer-to-peer networking. It doesn’t always work properly, though, because of double NAT situations and CGNAT, leading to subpar online experiences and the threat of weaker security. With a few notable exceptions (Nintendo, I’m looking at you), online gaming has moved on to newer, safer technologies to provide the same serverless networking that game studios are used to coding, and you can likely turn off UPnP without worrying about not getting into lobbies.
Multiplayer gaming favors NAT punching or traversal these days, the same technology that Tailscale and other next-gen VPN solutions use to connect through your firewall without opening ports to the broader internet. The end result is that you can still play multiplayer without UPnP (in most situations), and you can finally turn it off in your router.
If you’re a retro gaming fan and use older consoles, and the multiplayer servers for those console games are still running, you might need UPnP but you can get around that by putting that one console in a DMZ where your router’s firewall does not protect it, but the rest of your home network still will be.
Your IoT devices might betray you
Do you really want your light bulbs to be your downfall?
UPnP is a favorite of IoT devices for setup and ongoing use, which is nice when you want your light bulbs to respond to voice commands, but not so nice when you realize what might happen due to the weakening of security practices on your home network. Short of putting your IoT devices on their own network and not allowing them direct internet access at all (which I understand is not possible for everyone), turning off UPnP removes one of the biggest security issues with smart devices.
UPnP has been used to turn routers into botnets for DDoS attacks, and has repeatedly been shown to be insecure and ripe for exploitation. Add that to the already low security practices of your average IoT manufacturer, and that’s a combination that I don’t want on my home network, and neither should anyone. In 2019, a large-scale attack on Chromecast devices and printers showed exactly why, and while they only showed off YouTube videos of popular gamer PewDiePie, it wouldn’t have happened without UPnP being enabled on those devices.
Your home network should only be for trusted devices and services
There’s a big reason we love OPNsense and suggest it as a replacement for your ISP router whenever possible. It has a security-by-default design, with things like UPnP not enabled, because why would you set up an enterprise firewall and let devices automatically bypass your rules? That doesn’t mean you can’t carefully set up rules that allow for the ports your console or other devices need, but it does take a little more thought and effort.
Which can only be a good thing for the security of your home network. Consumer routers take a few liberties with security so that they’re easier for the user to set up and operate, and it’s on you to turn off potentially unsafe features. Your home network should be as secure as your physical location, and leaving things like UPnP enabled reduces your overall security.