Universal plug and play

from Wikipedia, the free encyclopedia

Universal Plug and Play ( UPnP ) is used for manufacturer-independent control of devices (audio devices, routers , printers , house controls ) via an IP -based network, with or without central control by a residential gateway . It is based on a number of standardized network protocols and data formats.


UPnP was originally introduced by Microsoft . In 1999 the UPnP forum took over the further development of the UPnP standard and the UPnP certification program. In January 2016, the UPnP forum handed over its tasks to the Open Connectivity Foundation (OCF).


UPnP is characterized in particular by the following features:

  • A control point (e.g. handheld ) can find the devices (e.g. stereo) without user interaction.
  • All transport media that support IP communication can be used, e.g. B. Ethernet , radio ( Bluetooth , Wireless LAN ), FireWire (IEEE 1394).
  • Standardized protocols and procedures such as IP , UDP , Multicast , TCP , HTTP , XML , SOAP etc. are used.
  • A UPnP device or control point can be implemented on any IP-capable operating system and with a wide variety of programming languages.
  • UPnP offers options for manufacturer-specific extensions.

Procedure ( UPnP Networking )

Protocols used in UPnP and services running over them

Addressing ( Addressing )

Since UPnP is based on an IP network, a device or control point must first have a valid IP address . The way in which this IP address was obtained (e.g. DHCP , Zeroconf , manual IP configuration) does not matter.

Localization ( Discovery )

As soon as a UPnP device has an IP address, it must report its existence in the network to the control points. This is done via UDP using the multicast address (in the case of IPv4) or FF0x :: C (for IPv6) on the basis of the Simple Service Discovery Protocol (SSDP). Control points can also search for UPnP devices on the network. In both cases, the “discovery message” only contains the most important information about the device and its services, such as B. the device name, device type and a URL for a precise description of the device.

Description ( Description )

After a control point has found a device, it fetches the description of the device via HTTP over TCP / IP from the URL that was communicated to it during localization. The device makes this available in the form of an XML document. The description contains information about the manufacturer, the serial number, URL addresses for the control, events and the presentation. For each service that a device offers, commands and actions as well as data types and data areas are specified. In addition to the services it offers, the description also includes all embedded devices and their services.

Control ( Control )

Using the information that the control point has received from the description document of the device, it can now send SOAP messages to the control URL of the device in order to control it.

Event messages ( Event Notification )

UPnP uses the XML- based General Event Notification Architecture (GENA) so that a device does not have to constantly query the status of a service or a status variable (contained in the description document of the device ). With GENA, control points can subscribe to information on device status; This means that you are automatically informed of every change to a status variable. To this end, “event messages” are sent that contain the status of the subscribed variables that have changed.

Presentation ( Presentation )

Presentation is an alternative to control and event messages. The device can be accessed using the web browser via the presentation URL, which is given in the description . This gives the manufacturer the option of providing an alternative user interface in addition to standardized access via UPnP.

Practical use

With the IGD protocol (Internet Gateway Device), UPnP offers a way of instructing routers , opening ports and forwarding relevant requests from the Internet to a computer that is connected to the Internet via NAT in a simple way for the user . Such forwarding is necessary , for example, for file sharing , file transfers in instant messaging programs and video conferences . While you can set fixed input ports for some programs, for which manual, permanent forwarding rules are then created on the NAT router (with several workstation computers, each one has its own port with its own rule), other programs with variable input ports are on UPnP instructed, especially if several workstations use these services and not all potentially used ports can be forwarded to a single workstation. Windows Live Messenger , for example , depends on it. Programs such as µTorrent , Pidgin 2, Apple iChat , eMule , Miranda IM , Miranda NG , Transmission , Vuze and ANts P2P can also use it .

The convenience of the automatic port configuration is offset by a loss of security, because the firewall of a UPnP-capable router can be rendered ineffective by any malicious program that may have reached the computer . However, this loss only occurs after a PC in the local network is infected with malware. Without access to the LAN, IGD is not a loss of security. It should be noted, however, that malware has been known since January 2008. B. hidden in Adobe Flash or JavaScript and can be executed without user interaction even when simply visiting websites with a current web browser on the computer, thus allowing uninvited guests to penetrate the local network.

Another common field of application is the distribution of multimedia content in the local network. Files are provided on a PC or NAS using a UPnP media server. Appropriate end devices (UPnP media renderers) can search, filter, sort and, of course, reproduce the contents of the server. Which formats are played back depends on the device. UPnP media renderers have been offered by various manufacturers for a number of years.

Vulnerabilities discovered in 2013

UPnP should only be activated on network interfaces for the local network and should not be accessible from the Internet. In January 2013, Boston-based security firm Rapid7 announced that they had been searching for UPnP devices on the Internet in a six-month project. They found 6,900 products from 1,500 manufacturers under 81 million IP addresses that responded to UPnP requests from the Internet. 80% of the devices are home routers for Internet access, other devices are printers, web cameras and surveillance cameras. These devices can be addressed or manipulated with the help of the UPnP protocol.

The UPnP forum responded to this in February 2013 with a press release and recommended newer versions of the UPnP stacks used; and the certification programs should better examine such problems.

In October 2016, the Federal Office for Information Security recommended deactivating the UPnP function on routers in order to prevent devices from the Internet of Things from being misused in botnets for denial of service attacks.

2020: CallStranger and UPnP Device Architecture 2.0 vulnerability

On June 8, 2020, Turkish security expert Yunus Çadırcı announced the CallStranger (CVE-2020-12695) vulnerability he had discovered. CallStranger is part of the subscribe function, via which UPnP devices can subscribe to status changes in other UPnP devices. You enter a target address in the form of a URL in the Callback field. If a UPnP device is accessible from the Internet, this can be used for DDoS attacks by the attacker storing the address of his victim on as many devices as possible, which is then overwhelmed with status messages. Furthermore, protective measures such as data leakage prevention (DLP) can be bypassed in order to steal data from the local network. You can also search for open ports. Çadırcı achieved a clarification of the protocol specifications at the OCF, which has been available since April 17, 2020 in the form of the UPnP Device Architecture 2.0.


See also

Web links

Individual evidence

  1. https://openconnectivity.org/developer/specifications/upnp-resources/upnp (accessed on April 22, 2018)
  2. Heise: Unintentional remote configuration for home routers
  3. Whitepaper: Security Flaws in Universal Plug and Play: Unplug, Don't Play. . Retrieved February 9, 2013.
  4. UPnP Forum Responds to Recently Identified LibUPnP / MiniUPnP Security Flaw. . Retrieved February 9, 2013.
  5. The bot in the baby monitor , Federal Office for Information Security from October 24, 2016, accessed on October 27, 2016
  6. CVE-2020-12695 , cve.mitre.org
  7. Data Exfiltration & Reflected Amplified TCP DDOS & Port Scan via UPnP SUBSCRIBE Callback , callstranger.com
  8. UPnP Device Architecture 2.0, PDF document , openconnectivity.org