Universal plug and play (ITSAP.00.008) – Canadian Centre for Cyber Security

Universal plug and play (ITSAP.00.008) – Canadian Centre for Cyber Security

Summary

Universal Plug and Play (UPnP) is a protocol that lets devices on the same local network automatically discover and interact with one another — examples include mobile devices, smart speakers, TVs, cameras, gaming consoles, printers and routers. While convenient for media streaming, remote control and gaming, UPnP frequently runs with minimal authentication and can expose networks to malware, unauthorised access, port‑forwarding abuse and data‑sharing/privacy risks. The Canadian Centre for Cyber Security recommends disabling UPnP (especially on perimeter devices such as home routers and gateways) where possible and provides mitigation steps for situations where disabling isn’t feasible.

Source

Source: https://cyber.gc.ca/en/guidance/universal-plug-play-itsap00008

Key Points

• UPnP enables automatic discovery and interaction across devices on a local network (smart devices, gaming consoles, media streamers, remote control, etc.).
• Many UPnP implementations lack strong authentication or access controls, increasing exposure to threats.
• Common risks include malware infection (including DDoS botnet activity), unauthorised local or external access, manipulation of network configuration (port forwarding) and inadvertent data sharing between devices.
• The primary recommendation is to disable UPnP on perimeter devices (home routers, gateways). Verify device requirements first, as some devices may rely on UPnP to function.
• If you cannot disable UPnP: isolate UPnP devices on a VLAN or separate network zone, keep firmware and software updated, enable logging and monitoring, regularly review port‑forward rules, and train staff on cyber security basics.
• To disable UPnP on a home router: log into the router admin page, find UPnP under ‘Advanced’ or ‘NAT forwarding’ settings and choose ‘Disable’. Alternatively, block UPnP‑related ports at the Internet gateway to stop external access.

Context and relevance

This guidance is practical for home users, small organisations and IT teams. As IoT adoption grows and threat actors continue to exploit poorly secured devices for DDoS and lateral movement, reducing UPnP exposure is a simple, high‑impact step to improve network hygiene and privacy.

Why should I read this?

Got smart gadgets or a home network? Read this — it explains quickly why UPnP can turn your devices into easy targets and gives straight‑forward, actionable steps: turn it off if you can, isolate devices if you can’t, keep things patched and watch the logs. We’ve done the reading so you don’t have to — these fixes are low effort and high reward.

Further reading

• Security considerations for voice‑activated digital assistants (ITSAP.70.013)
• Protect your organisation from malware (ITSAP.00.057)
• Internet of Things (IoT) security (ITSAP.00.012)