UPnP is super convenient, making it easier to connect your digital devices to your home network — simply plug in your new device, and away you go. But is it safe? Should you or shouldn’t you turn on UPnP? Read on to learn all you need to know — plus discover how to strengthen your devices’ protection from online threats with Avira Free Security.
What is UPnP and what’s it for?
UPnP is something you’ve probably come across before. Thanks to this technology, you can simply connect peripherals like a mouse, keyboard, or external hard drive to your computer and start using them right away without having to configure any settings or install device drivers.
UPnP takes the plug and play peripheral model a step further, extending it to the entire network environment to make it easier to connect devices digitally in a home network. It was developed by the UPnP Implementers Corporation (UPnP-IC) to enable automatic configuration and communication of network devices in a network infrastructure, and was originally introduced by Microsoft.
Thanks to UPnP, you don’t have to manually assign IP addresses to devices or set up port forwarding on the router for internet access. UPnP devices include printers, IP cameras, audio devices, routers such as the FritzBox, video game consoles like the Xbox, as well as smart household appliances and TVs.
Using UPnP, these devices can automatically identify themselves, share their services and files, and communicate and interact with each other. All a device needs is a private IP address for identification and an implemented UPnP protocol for communication. The UPnP protocol is based on a set of standardized network protocols, procedures, and file formats that enable automatic configuration and seamless interoperability of devices in an IP-based network.
These include:
- The basic Internet Protocol (IP) for addressing and routing of data packets
- The Simple Service Discovery Protocol (SSDP) to identify and discover devices and services and to display their status and availability
- The Simple Object Access Protocol (SOAP) for communication between devices
- The Extensible Markup Language (XML) to describe the devices and their services
- The Hypertext Transfer Protocol (HTTP) to transmit control messages
- The Transmission Control Protocol (TCP) for data transfer
- The User Datagram Protocol (UDP) for data transmission (mostly for multicast communication, where messages are sent to several devices simultaneously, for example to announce the availability of services or to communicate events)
In addition to these protocols, various transport media can be used to establish the connection between the devices, such as Ethernet, radio (Bluetooth and Wi-Fi), and FireWire.
The “universal” in Universal Plug and Play refers not only to the internet-based technologies but also to the media, device, platform, and manufacturer independence of UPnP technology. Back in 2003, 250 manufacturers joined forces in the Digital Living Network Alliance (DLNA) to provide a seamless way for multimedia devices in home networks to communicate with each other and share content. Certain minimum standards were established for this, including UPnP from which DLNA is derived — which is why the terms UPnP and DLNA are sometimes used interchangeably. Since the association dissolved in 2017, the successor company SpireSpark now issues DLNA certificates.
How does UPnP work?
UPnP devices and applications can be roughly divided into two categories: Control points and controlled devices. Whereas a controlled device provides services, a control point accesses them and gives them instructions. In principle, a device can function both as a control point and a controlled device. This means a computer, for instance, can act as a control point for a printer and issue a print job to it and at the same time also serve as a controlled device for a multimedia player by providing it with content.
Looking at it through the lens of the traditional client-server model, in the first case the computer acts as a UPnP client that uses the printer’s services. In the second case, it acts as a UPnP server that provides media content that another UPnP client can access and play.
UPnP AV (Universal Plug and Play Audio/Video) is an extension of the UPnP protocol that was specifically developed for networking and controlling audio and video devices. In this case, the control points are called renderers (playback devices) and the controlled devices are called media servers (data sources). The optional control point connects the two and serves as a central control interface, like a smartphone app or a smart home assistant such as Amazon Echo.
Here are the 6 main steps to the UPnP process:
- Addressing: A new device joins the network and is assigned an IP address.
- Discovery: The UPnP device identifies itself to other devices on the network using this IP address and other basic information (such as device name, device type, and device URL). They can now discover and locate the device.
- Description: The other devices use specific URLs contained in the new device’s description file to retrieve further relevant information, such as capabilities and services offered or searched for. They can now interact with it and access the new device’s features and services or accept requests from it.
- Control: By transmitting control messages, UPnP devices can communicate with each other and send and receive instructions to perform certain actions.
- Eventing: To avoid having to constantly query the status of the other devices, the devices can subscribe to event notifications. This way, they will be informed automatically when their services are required.
- Presentation: As an alternative to the control and event notification steps, devices can also retrieve the required information about another device via a presentation URL and use it to communicate with the device. In addition to access over UPnP, a control point can retrieve a page from this URL, load it into a web browser, and display an alternative user interface.
UPnP-enabled devices and applications
Network-enabled devices and applications that support the UPnP protocol include:
- Routers: UPnP-enabled routers such as the FritzBox support automatic port forwarding and enable devices on the network to independently open ports to access certain internet services.
- Playback devices and streaming devices: These devices can retrieve local multimedia content from a UPnP server or stream content from an online service and play it on a connected screen or audio system. These include multimedia players, Blu-ray players, smart TVs, TV set-top boxes, and sticks.
- Smart speakers: Smart speakers such as Amazon Echo and Google Home can use UPnP to play music from a UPnP server on the network, access IoT (Internet of Things) devices, and control various smart home functions.
- Smart home devices: These devices are also referred to as IoT devices and are equipped with smart features. In addition to smart TVs and speakers, these also include devices for remote monitoring and control of the home.
- Video game consoles: UPnP-enabled video game consoles like the PlayStation, Xbox, or Nintendo Switch not only offer online gaming services but can also be used as media centers and retrieve and play multimedia content from other devices on the network.
- AV receivers and audio systems: UPnP-enabled AV receivers and multi-room audio systems can play music from various sources on the network.
- Multimedia servers: UPnP servers can deliver multimedia content over the network and allow other devices to access it.
- Media player apps: UPnP-enabled applications such as VLC Media Player can retrieve and play multimedia content from a UPnP server on the network.
Streaming via a media or UPnP server
To access the streaming content of another device using devices such as a smartphone, tablet, video game console, or smart TV, the device must act as a UPnP server. As a UPnP server, the device allows other devices on the network to access its stored media content, such as image, music, or video files. To play the content, the accessing devices require a corresponding function or a media player app such as VLC Media Player, which is also available for smartphones and tablets.
Windows computers can be turned into a UPnP server or media server using the Turn on media streaming option. Starting with version 11, Windows Media Player has an integrated UPnP server feature that allows you to share multimedia content over the network. By contrast, Universal Media Server is a platform-independent UPnP server and allows content from Mac or Linux computers to be played on smart TVs, smartphones, or any other UPnP-enabled device.
How safe is UPnP?
The advantages of UPnP are obvious — but what about the disadvantages? Unfortunately, there are also potential security risks and using UPnP can be dangerous. The biggest vulnerability lies in automatic port forwarding, which allows devices to open and forward ports on their own to communicate with the internet. Cybercriminals can use this feature to gain unauthorized access and, for example, inject malware like ransomware or Trojans.
If a device gets infected with malware, such as through a phishing attack or an attack on the router, the malware can also use UPnP to search for other vulnerable devices on the network and infect them as well. They often achieve this by exploiting security vulnerabilities on UPnP-enabled devices or vulnerabilities in the UPnP implementation. Smart devices can then also end up getting added to a botnet and used for DDoS attacks.
Once cybercriminals gain access to the network, they can:
- Set up malicious port forwarding
- Take control of connected devices
- Remotely access devices connected to the network
- Inject more malware
- Steal sensitive information such as personal data or passwords
- Misuse routers for their own purposes, e.g. as proxy servers
- Use the network for attacks, e.g. to build a botnet
How to turn UPnP on or off
On most routers, there are two setting options that are relevant to UPnP: Automatic port forwarding and the transmission of status information. However, turning on automatic port forwarding can pose a security risk and in most cases is something you don’t really need to do.
1. Automatic port forwarding over UPnP
For security reasons, automatic port forwarding over UPnP is often turned off by default so you need to turn it on manually. We recommend only turning it on when needed for specific applications or devices.
You can turn automatic port forwarding on or off on routers such as the FritzBox in the Internet menu under Port Forwarding by setting or removing a check mark next to Allow changes to security settings over UPnP.
If you get the error message UPnP not successful on your Xbox or other video game console, you can also check via the above settings whether automatic port forwarding is enabled on your router — and turn it on if necessary.
If you choose to turn off automatic port forwarding over UPnP on your router for security reasons, you can also set up port forwards manually, if needed. These are required for services that need to access certain ports from outside the network, such as applications for online games or surveillance cameras.
You can also set up what’s called static port forwarding for individual services and devices on the FritzBox under Port Forwarding. There, select the device for which you want to forward the ports and enter the relevant information (such as the port number and IP protocol).
If you only want to authorize certain devices for automatic port forwarding, you can do this on the Network Connections tab, which is located on the FritzBox in the Home Network menu under Network. Select the desired device and turn on the option Allow independent port forwarding for this device.
The descriptions in the user interface menu may vary depending on your router model. Certain routers, such as some Vodafone models, don’t even offer automatic port forwarding over UPnP or only to a limited degree.
2. Transmitting status information over UPnP
You can also usually turn on or off the transmission of status information required for communication and interaction over UPnP. The option Transmit status information over UPnP can be found on a FritzBox in the network settings in the Home Network menu under Network.
How to protect yourself from attacks over UPnP
Like computers, routers have a firewall that monitors inbound and outbound network traffic and blocks potentially malicious activity. As such, keep your router’s firewall or firmware up to date to close security holes. Also turn off automatic port forwarding over UPnP and generally increase your router security by selecting WPA2 encryption and changing your router’s default password.
It’s also a good idea to keep all other devices on your home network up to date and protected from malware and other online threats — regardless of whether you turn UPnP on or off. For computers, multi-layered cyberprotection solutions like Avira Free Security are perfect for this task as they include a software updater and many other features alongside virus protection. You can also improve the protection of your mobile devices with Avira Antivirus Security for Android and Avira Mobile Security for iOS.