Home of internet privacy

What is UPnP, and why is it unsafe?

If you have a home printer or digital camera, you’ve probably used Universal Plug and Play. It’s a widely used protocol that makes it easy to install devices on your home network, allowing them to connect to each other, without having to undergo the cumbersome process of adjusting settings on your router.

UPnP is ubiquitous, but it’s not secure.

How does Universal Plug and Play work?

When you connect a UPnP device to your local network, it will first try to obtain an IP address. This process, usually done through a process called DHCP, is no different from the process of obtaining an IP address for any other kind of device. Almost all routers support DHCP.

As soon as your UPnP device has an IP address, it will try to find a “control point,” which is typically your router. It will send your router a file containing useful information about the device, such as the manufacturer, model number, firmware version, and functionality.

[Understand more about everyday tech. Sign up for the ExpressVPN Blog Newsletter.]

For example, if you connect a printer with UPnP capabilities, the printer will let your router know what printer it is. When you want to install that printer, your computer will only have to ask your router what printers are connected to it, and you will be able to quickly connect and install the up-to-date firmware from its vendor.

UPnP also allows entertainment devices to easily find each other on a network. This allows you to do things like stream music from one computer to another.

The risks of using UPnP

The main issue with UPnP is that it is primarily built for your home and makes certain assumptions based on this—namely, that your home network is well secured against attacks from the outside, but anything inside of it is permitted to be open and unsecured.

As a consequence, UPnP lacks basic authentication, and its devices are often prone to attacks. Your home network can’t be assumed to be secure, especially given the prevalence of unpatched routers, shared Wi-Fi passwords, and untrusted devices that could be connected to it.

In fact, UPnP can open up your network to security holes. For example, it allows devices on your network to request for ports to be opened to the open internet, where more malicious requests can be made.

For large networks, such as in business environments, UPnP often fails due to too many devices trying to “discover” each other and taking up a lot of network resources or confusing the router with contradictory information.

Secure your home network

We recommend you to turn off UPnP in your router’s settings and configure your home devices manually. Log into your router’s admin panel, find the settings, and deactivate UPnP. You will usually find your devices’ IP address and log-in credentials on the back of your router or its user manual.

While you are poking around in your router’s admin panel, you might also take the opportunity to…

Also read: How to reduce your trail of metadata