UPnP or Universal Plug and Play is a networking standard that’s defined by The UPnP Forum, a consortium of computer companies who’s goal is to make networking easier for everyone. They’ve envisioned a future where all of the devices on your home network are aware of each other, and can provide services for each other without a lot of configuration intervention from you.
The classic UPnP scenario would involve plugging a storage device full of media into your network. Immediately, your TV would recognize that this device contained video and would offer to play it. Your stereo would know where the music was stored and it could play that too. All of this would happen automatically without any need for you to do anything.
UPnP went way beyond just controlling media and defined standards for how devices could find and control each other over your home network. Think really cool space-age stuff. So far, this idea sounds great.
But like a lot of good ideas, once a committee gets a hold of it and begins to design it, things begin to go downhill. UPnP has really great and lofty goals, but the actual realization of it is very problematic.
UPnP critics point to the fact that devices and applications can configure themselves and each other without any human intervention. This sounds positive until you realize that the bad guys’ applications can also configure your devices. Not so good.
UPnP also defines the behavior of routers. One of the “features” of UPnP-enabled routers is the ability of other devices and applications to perform port forwarding on them. This can all happen without your intervention or even knowledge. What a gold mine for hackers!
Furthermore, the way that many companies have implemented UPnP in their devices contains multiple security vulnerabilities, putting yet another black mark on a system that has people worried.
To learn about some real life problems with UPnP, look here.