The
12-year-old UPnP protocol simplifies the task of connecting devices by allowing them to automatically find each other over a network. It does this by using the HTTP, SOAP, and XML protocols to advertise themselves and discover other devices over networks that use the Internet Protocol.
While the automation can remove the hassle of manually opening specific network ports that different devices use to communicate, UPnP over the years has opened users to a variety of attacks. In 2013, an Internet-wide scan found that UPnP was
making more than 81 million devices visible to people outside the local networks. The finding was a surprise because the protocol isn't supposed to communicate with outside devices. The exposure was largely the result of several common code libraries that monitored all interfaces for
User Datagram Protocol packets even if configured to listen only on internal ones.
FURTHER READING
Mass router hack exposes millions of devices to potent NSA exploit
In November 2018, researchers detected two in-the-wild attacks that targeted devices using UPnP. One used a buggy UPnP implementation in Broadcom chips to
wrangle 100,000 routers into a botnet. The other,
used against 45,000 routers, exploited flaws in a different UPnP implementation to open ports that were instrumental in spreading EternalRed and EternalBlue, the potent Windows attack that was
developed by and later stolen from the NSA.