QNAP urges customers to disable UPnP port forwarding on routers

Taiwanese hardware vendor QNAP urged customers on Monday to disable Universal Plug and Play (UPnP) port forwarding on their routers to prevent exposing their network-attached storage (NAS) devices to attacks from the Internet.

UPnP is a set of insecure network protocols with no encryption and authentication that comes with support for peer-to-peer communications between devices.

It also allows them to dynamically join and leave networks, obtain IP addresses, advertise their capabilities, and learn about other UPnP devices on the network and their capabilities.

UPnP Port Forwarding allows network devices to communicate seamlessly and create groups for easier data sharing.

"Hackers can abuse UPnP to attack through malicious files to infect your system and gain control. Despite its convenience, UPnP may expose your device to public networks and malicious attacks," QNAP said today.

"It is recommended that your QNAP NAS stay behind your router and firewall without a public IP address. You should disable manual port forwarding and UPnP auto port forwarding for QNAP NAS in your router configuration."

As options for those who need access to NAS devices without direct access to the Internet, QNAP recommends enabling the router's VPN feature (if available), the myQNAPcloud Link service, and the VPN server on QNAP devices provided by the QVPN Service app or the QuWAN SD-WAN solution.

Internet-exposed NAS devices at risk

QNAP also warned customers in January to secure their NAS devices immediately from active ransomware and brute-force attacks.

The company asked users to check if their NAS is accessible over the Internet and take the following measures to defend them from incoming compromise attempts:

• Disable the Port Forwarding function of the router: Go to the management interface of your router, check the Virtual Server, NAT, or Port Forwarding settings, and disable the port forwarding setting of NAS management service port (port 8080 and 433 by default).
• Disable the UPnP function of the QNAP NAS: Go to myQNAPcloud on the QTS menu, click the "Auto Router Configuration," and unselect "Enable UPnP Port forwarding."

QNAP also provides step-by-step instructions on disabling SSH and Telnet connections, changing the system port number and the device password, and enabling IP and account access protection.

The warning came after an increase in eCh0raix (aka QNAPCrypt) ransomware attacks before Christmas exploiting an unknown attack vector.

Some users linked successful ransomware attacks at the time to improperly secured Internet-exposed devices.