Universal plug and play (ITSAP.00.008)

Universal plug and play (UPnP) is a protocol that allows devices on the same network to automatically discover, connect to and interact with one another. Common examples of devices that use UPnP include:

  • mobile devices
  • smart devices (for example, speakers, televisions and cameras)
  • computers
  • gaming systems
  • printers
  • Wi-Fi devices
  • routers

While UPnP services can be convenient for automating device connectivity, it can expose you to several security risks. We therefore recommend disabling UPnP, especially on perimeter devices such as home routers that manage firewalls, switches and Wi-Fi access points for other connected devices. Before you disable UPnP, check what level of security your devices need, since some require the service to work properly.

On this page

How universal plug and play is used

UPnP is used to connect devices seamlessly within a local network. It allows you to automatically connect smart devices, gaming consoles and computers, media streaming devices and remote device control. UPnP allows compatible devices to interact and work together within a related network for versatility and convenience. Here are some examples of how UPnP is commonly used.

Smart devices

Smart devices use UPnP to communicate with each other, allowing them to automatically adjust settings or change their environment based on the actions of other devices. For example, smart lighting that changes colour or brightness in response to temperature changes detected by a connected smart thermostat.

Gaming consoles and computers

Gaming consoles can discover and connect with each other to join multiplayer sessions and share game content in real time.

Media streaming

Devices that support media streaming can share and stream videos, music and photos among other UPnP-enabled devices.

Remote access

You can use remote device control from a smartphone or computer to control actions or settings on UPnP-supported devices. For example, UPnP can be used to remotely lock or unlock a smart lock to your house.

Related risks

While UPnP-enabled devices are convenient, they also introduce potential security risks because they often operate with minimal authentication or access controls. As a result, devices and networks using UPnP may be exposed to several common threats that can compromise security and privacy.

Malware

Threat actors can compromise UPnP-enabled devices with malware. For example, they may use distributed denial-of-service (DDoS) attacks to configure UPnP devices to be accessible and ready to receive and send data.

Unauthorized access

Any UPnP devices connected to a common network can be compromised by someone who gains access to that network. This could be a threat actor exploiting a device connected to the network or a local user accessing a connected device (for example, an insider threat).

The two main ways devices using UPnP on a network can be compromised include:

  • external threats: attackers who gain unauthorized access to your network (for example, by exploiting a vulnerable device) can target UPnP-enabled devices to manipulate device settings, intercept communications, or install malware
  • insider threats: individuals with legitimate access to the local network that tamper with or misuse UPnP-connected devices, including reconfiguring devices, accessing sensitive data or intentionally weakening network security

Network configuration

UPnP offers control of network configuration settings, such as port forwarding, which threat actors can leverage to bypass firewalls, change access lists, or modify security measures. This makes it difficult to detect and block malicious traffic. Threat actors can also use a UPnP-connected device to manipulate network configuration to expose router web administration details, redirect traffic to malicious external servers, modify credentials and control internal connections and device activities.

Data sharing

Connected UPnP devices share data that allows them to interact with each other and to action certain activities. This can pose a privacy risk if devices that handle sensitive information connect and share data with other devices on the network.

How to secure your devices

The most effective way to protect against UPnP-related attacks is to disable the service entirely. If disabling UPnP is not an option, you can reduce vulnerabilities to your network by:

  • restricting UPnP access by creating a virtual local area network (VLAN) or a separate network zone to isolate UPnP-enabled devices from other devices on your network
  • updating devices regularly and enabling automatic updates where available to further mitigate the risk of threat actors taking control of your devices and leveraging UPnP protocols maliciously
  • logging and regularly monitoring device activity for any irregularities and potential threats
  • regularly reviewing security settings and port-forwarding rules on your router and any other networking devices you own
  • keeping up to date with new and emerging technologies and threats by reading Cyber Centre resources and publications
  • training employees on and spreading awareness of cyber security best practices to identify, understand and manage potential threats to your systems
  • using Canadian Internet Registry Authority (CIRA) tools and services to strengthen security if your router needs to be UPnP-enabled

How to disable universal plug and play on a home router

The steps to disable UPnP on your home router will vary depending on the make and model of the router, but generally, you should follow these 3 steps:

  1. Log into your router's administrative or configuration webpage
  2. Select the UPnP settings that are often found under the "advanced" or the "NAT forwarding" configuration options
  3. Choose the option to "disable UPnP"

If you choose not to disable UPnP on your home router, you can block ports associated with UPnP at the Internet gateway. This helps prevent unauthorized external devices from accessing internal devices using UPnP.

Learn more

Date modified: