I have seen lots of contradictory advice about UPnP with some saying it is safe and others saying it is dangerous. When I looked into it some years ago I decided it was too dangerous to use so I always make sure it is turned off on any router I configure. This has never caused a problem and it is the safest option so I’m happy to do this.

However, I had not seen for myself what happens if this service is turned on. Well, not until now. Remember that I had forgotten that UPnP had been turned on. So when my existing desk phone on my VoIP service started to behave strangely I did not initially put it down to a problem caused by UPnP.

A few hours after I had turned on the UPnP service my desk phone started to ring and displayed the calling number as 1005. Several more calls like this came in during the next hour. It was Easter Sunday and I did not hear the phone ringing but it logs all incoming calls. By the time I checked my phone on Easter Monday it had logged over 40 inbound calls from numbers like 200, 300, 1005 and also TRUNK.

I have used an IP phone service for more than seven years and in all that time I have never seen anything like this. During Easter Monday the calls continued to come in so I did a bit of research and quickly discovered why. It turns out that hackers who specifically target IP phone services make inbound calls that will show the numbers I had seen. They are trying to find IP phone services that are poorly protected, usually with default passwords, so they can use them to make expensive telephone calls using the hacked credentials.

I could not understand why was this suddenly happening to my own IP phone when it had been secure and never open to this abuse for so long?

Finally, I remembered that I had turned on the UPnP service on my router but had not turned it off. By turning this service on I had made my IP phone visible to hackers on the Internet and in no time at all some of them had started to attack my phone. To make sure this was correct I turned off the UPnP service and the strange inbound calls stopped. A day later I turned the UPnP service back on and the hacker calls started again.

I never doubted that the UPnP service was unsafe but now I know for sure that turning it off is essential if you want to keep your network, and the devices connected to it, as secure as possible.

Don’t take my word for it. I managed to find a very good article about the pro’s and con’s of using UPnP here:

https://www.howtogeek.com/122487/htg-explains-is-upnp-a-security-risk/

I would love to tell you that there is a really simple way to find out if UPnP is turned on in any router but if there is I cannot find it. The best I could find is a test on the Gibson Research site that you can find on the following link:

https://www.grc.com/x/ne.dll?bh0bkyd2

Press the Proceed button and you should see a GRC’s Instant (UPnP) Exposure Test button. Click the button and look at the result. My router passed this test with the UPnP service turned on or off but that is understandable as the GRC test can only detect external flaws in UPnP and my router does not have those. If you do not get a result like the one below please get in touch with me as your network is at real risk of being hacked.


Just remember that my router gave this result but my telephone was getting hit by hackers so for me the test result was not proof that my router was secure. The only way to be certain is to make sure that your router is not using any UPnP service.

Unfortunately, a lot of routers are shipped with the UPnP service turned on so you really do need to check your own device. For example TalkTalk enable it by default on their routers. Routers from Linksys, D-Link, EdiMax and many others will also be supplied with UPnP turned on by default.

If you need help in finding out if your router is running UPnP give me a call or send me an email and include the make and model of your router. Learn from my mistake and make sure that your router is not running UPnP.