When the internet was in its infancy and home networks were complicated things to set up correctly, every device on your network had a public-facing IP address. This made it easy for game servers, FTP servers, and other services that you might want to use. This was fine, mostly, but it did mean that your devices were exposed to the wider internet and also that IPV4 addresses were going to run out unless something was done.
This led to the invention of Network Address Translation (NAT), which essentially makes your home network devices look like they have static IPs to services on the internet when you really only have one IPV4 address of your router. But it was still a pain to set up, so UPnP (Universal Plug and Play) came along to sort out the messy networking discovery parts for you.
Zero-configuration is good for the user until it becomes a problem, and manufacturers of Wi-Fi routers have created one by letting UPnP work at the WAN level. When it was first designed, UPnP was supposed to stay on your home network, which would have kept you safe. But with WAN access, devices can be plugged into your home network and open ports straight to the internet without your approval or knowledge. While some older services and gaming consoles need it enabled for multiplayer, it's (mostly) safer to turn it off.
6 router settings that power users should change
You might not think to change these settings but you'll be glad you did.
4 It's a security nightmare (even if it's cool)
Router manufacturers enable UPnP by default because it makes their life easier
Universal Plug and Play (UPnP) is a fantastic feature, in theory. The ability to have your network-attached devices find each other, and the remote servers they might need for essential data is a modern marvel. It combines TCP/IP, HTTP, XML, and SOAP to automatically open and shut ports through your router and firewall so that devices can directly communicate. This helps everything from IoT devices to smart speakers, streaming services, and game servers connect and get data with zero input needed by the user.
That zero setup process is also its biggest weakness because there are no checks and balances to stop malicious devices or software from using UPnP to open any ports it needs and using your home network to send out your data or combine your devices into a botnet for attacking servers. It doesn't use any authentication at all, which would be fine if it only dealt with devices inside your LAN, but many routers expose UPnP to the WAN side and that spells trouble.
Turn it off, and it'll make your home network safer. You might notice one or two devices or services have issues afterward, and it's fairly simple to do some port forwards for those individual things instead of letting your whole network get controlled by whatever.
5 alarming Windows cybersecurity facts you probably donโt know
Time to wake up and secure your PC
3 No control over what's opening ports
This is fine if you trust the devices but what if it's an IoT device or gets infected with malware?
The biggest reason to turn off UPnP right now is that it instantly reduces your control over your home network, the data moving around on it, and the data going in or out of it. It's a little bit like throwing your car keys to a valet, except there is no boss looking over UPnP's shoulder to make sure they don't go joyriding. That's it. There's no control from your firewall, your other security software or hardware, or from you to tell it not to connect to potentially sketchy IPs.
At one point, home network equipment had to balance security and convenience, which was less of a concern. However, this is no longer necessary, as responsible developers have found ways to connect to remote servers without exposing the home network to potential attacks. You might trust that your gaming console won't call out to sketchy servers, but how do you know you don't have malware? That IoT device you plugged in could conceivably be sending plenty of data back to wherever if it has an insecure UPnP implementation or if it was deliberately designed that way.
Even if all of your network devices aren't using UPnP, simply having it enabled in your router could mean attackers could get inside your home network, and there have been plenty of incidents where that happened, only to turn thousands of routers, printers, and other devices into botnets to attack other internet services.
What is port forwarding? Why do I need to do it?
If you want to host applications on your home internet, you'll probably need to port forward. Here's what that means and why.
2 Malware uses it to spread
Because it doesn't use authentication, it's often co-opted by cybercriminals
The way UPnP is designed, the automatic opening of ports to the wider internet makes life easier both for developers and users. But that automated process is also a boon to hackers, and there are plenty of instances where UPnP was either shown to be exploitable, or actually was used to hack systems. In 2020, Ars Technica reported on a proof-of-concept attack that could use UPnP to rope millions of devices into distributed denial of service (DDoS) attacks. Other attacks used badly implemented UPnP in Broadcom chips to turn 100,000 routers into a botnet.
And if you think back to 2019, you might remember a large-scale attack on Chromecast devices and printers that showed off YouTube videos of popular gamer PewDiePie. That was also made possible because of UPnP on routers allowing WAN-side computers to set up port forwards, and while it wasn't done maliciously, it could easily have been a major issue.
7 ways to tell if your Windows laptop has malware
Red flags your laptop is compromised
1 You (probably) don't need it anymore
Modern gaming consoles use safer methods for multiplayer gaming
In the earlier days of online gaming, your computer connected directly to the other players, or to the game server. This was probably not the best move, as it opens your device up to anyone who can find your IP address, but that's how it was. Then came NAT and UPnP, both of which worked together to make your home network as safe as possible while still being able to connect to game servers for playing with other users. However, it still wasn't the safest way to do things, so the model was changed.
Nowadays, most gaming servers use NAT punching to connect players together, which uses a middleman server or sometimes a relay server to get past the NAT of each home network without needing UPnP or port forwarding. Sometimes, this can run into issues with connecting, as anyone who's played a Call of Duty title with a Strict NAT type knows. Generally, Moderate or Open NAT types have no issues with NAT punching working properly, and this means gamers can turn off UPnP in their routers.
UPnP can usually be turned off without issues
While it's true enough that millions upon millions of consumer routers have UPnP enabled by default, and the vast majority of them are fine, it's still a security risk. On older routers it can enable external attackers to get into your home network by simply using what UPnP was designed to do. It's not the protocol's fault that some routers let WAN-side computers access UPnP, but it is still worth turning off. Modern networking uses other methods to connect to remote servers that keep your home network safer, and UPnP is largely unnecessary now. If you find turning it off makes some of your apps, services, or devices stop working properly, you can find out which ports you might need to enable in your firewall so those services and none other can communicate with the outside world.