Berkner Tech

Berkner Tech Modern Hardware Security

UPnP and SSDP Exposure on Connected Products

UPnP and SSDP exposure on connected products, from SSDP discovery to assessing internet exposure

Universal Plug and Play exists so devices can discover each other and open firewall ports without the user lifting a finger. That convenience is also a liability: it leaks information over SSDP and lets a device, or malware, punch holes in the firewall. Here is how to assess UPnP exposure on a product and network.

Why UPnP Is Risky

UPnP combines two risky ideas: broadcast discovery over SSDP that advertises a device and its services to the whole local network, and a control protocol that lets any local device open ports on the router. The first leaks information; the second removes the firewall as a control, because anything inside can expose anything to the outside.

Step 1: Discover and Enumerate

List the UPnP devices and any port mappings already in place. Existing mappings often reveal what is exposed:

upnpc -l
Example output
List of UPNP devices found on the network:
  desc: http://192.168.1.1:5000/rootDesc.xml
  st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found a (connected) IGD
ExternalIPAddress = 203.0.113.7

 0 TCP  8080->192.168.1.50:80   'cam'

An existing mapping exposing an internal camera’s web interface to the internet is a finding on its own, and it shows the router honors UPnP requests.

Step 2: Test for Abuse

If the router accepts mapping requests without restriction, a single command can expose an internal device to the public internet:

Anatomy of a UPnP port-mapping request with upnpc exposing an internal device to the internet
upnpc -a 192.168.1.50 80 8080 TCP
Example output
external 203.0.113.7:8080 TCP is redirected to internal 192.168.1.50:80
(0) success

That command opened the public internet to an internal device with no authentication. Malware on any device does the same, which is how UPnP turns one infection into an internet-exposed service.

Three UPnP Risks

The exposures UPnP introduces:

Three UPnP risks: WAN-side UPnP, port-mapping abuse, and device description information leakage

Reducing UPnP Exposure

Never accept UPnP requests from the WAN side, disable UPnP entirely where it is not needed, and on products that use it, scope what can be mapped and require authentication. Minimize what the SSDP description reveals. The safest default is UPnP off, opened only deliberately.

Where This Fits

Assessing UPnP and SSDP exposure on a product and its companion network is part of a connected-product penetration test. That testing is the kind of work we do at Berkner Tech.

References and Further Reading