Is UPnP for ARC safe?

I’ve been unable to use ARC as it is unable to connect to my Roon Core. Following the help prompts, I’ve read the stuff about enabling UPnP on my router. Since I know nothing about router setup and network stuff, I went Googling. There are all kinds of warnings about using UPnP and enabling it on your router.

The following is from a recent post by a security firm and it typical?
“cybercriminals are always on the hunt for home networks with UPnP enabled and valuable data. Getting into a UPnP-enabled network is surprisingly simple. All they have to do is breach your network and pretend to be an ordinarily benign device, like an air conditioner or a Smart TV, and send your router a port forwarding request.”

That stopped me in my tracks and I am puzzled why Roon would ask you to open your router to hackers in order to use their ARC app. I’d like to try it, but the hurdles for me to enable it without the knowledge how to do so, and the apparent security risks seem to make it a bad idea. I was able after much searching to figure out how to access my router and UPnP is not enabled now, and I don’t see how it could be prudent to do so.

Can you set up a port forwarding rule with your router? Go to Roon - Settings - Roon ARC and see the required port number (something like 50000 or 50002, etc.) and IP address. You might have to click the down arrow to see it. Use that for a port forwarding rule.

Jim, sadly I am completely lost is trying to configure a router. I’m just a music lover, an old guy, can use my phone a laptop pretty well, but that’s about the extent of my tech savvy. I’m not at all clear what the port forwarding rule means, let alone how to do it.

AFTER they have already breached your network, they can already do what they want and they don’t need UPnP anymore for anything.

Communication with the Internet protocol works with IP addresses and open ports. Open ports can be secured or the internet as we know it would not exist.

There is a long thread here:

1 Like

If it was so easy and interesting to hackers most of the population would be hacked by now as UPnP is on by default on most routers and most are unaware of it. Don’t believe all you read as it’s scaremongering. That said it does open you to increased risk if your running an application known to have vulnerabilities that they can exploit. I have had ports open for certain apps for the last 10 years or more without incident. If you feel unsure and worried about security then don’t do it.

Just don’t bother then. Your not missing much all said and done. Keep it how you can manage things and don’t overcomplicate things and get out of your comfort zone just because others say do this do that.

Using Roon ARC is very worthwhile if you want to listen to your Roon music while “on the go.” Take a look at your router and post the make and model and your provider name and maybe we can point you to some simple instructions.

Thanks, that’s the best advice yet.

The problem with enabling uPnP is that while you know Roon is using it to open a port, you don’t know what other ports might be opened by other apps on your network. Enabling port forwarding just for Roon is much safer, but I wouldn’t even do that - Roon has failed to answer what I think is my reasonable question as to what steps they have taken to minimize the risk their app can’t be used as an attack vector onto my home network.

1 Like

I do want to listen to my music on the go. But since I’m way out of my element here regarding network security, I think I’ll take CrystalGypsy’s advice. Looks like I’ll just stream Qobuz direct from their app on my phone and my personal library is already on the phone. I lose some of what I like with Roon, but if their app is causing me to reduce security, seems like they are on the wrong path.

They are not on the wrong path don’t miss quote me hear, in the IT world anything is a risk but this i no more of a risk than using your phone ot computer on any public Wi-Fi in Starbucks or other location. It is one but isn’t as big as they make out, getting in your network isn’t that easy to start with. Many apps use UPnP as it makes it simpler for users like yourself who have no idea about networking it makes more complex tasks simpler. In any situation though someone can decide to exploit it. But they won’t get in via UPnP alone they get in by you opening the door first with some dodgy software that’s got some vulnerability or a Trojan or a Virus. Opening the port for arc won’t let people in on its own there are other factors to be taken into account.

1 Like

I have a Netgear router and turned on UPnP and set the port forwarding for ARC. ARC worked fine. I then went back into the router and turned off UPnP and ARC still worked fine. I am not a networking guy, but my ARC works with just the port forwarding, no turning on UPnP required.

1 Like

I’m clearly in over my head here. But trying to represent the commoner in a forum filled with experts like you. My first question is why Roon requires me to learn and do all this stuff to use a product they are promoting so heavily. I’ve never added a phone app that requires that. Second, it may not look like a significant risk to you given your expert knowledge. But I and most people lack the knowledge to assess that for ourselves. Next, I really can’t process what you’ve said about UPnP alone not causing a risk - that it’s only if something else has been compromised - is that what you mean? Then I again can’t really assess the risks since I don’t really understand what those other things could be and whether my network is a problem.

1 Like

Indeed it is not required. I needs an open port, how it is opened is not relevant

So how do I get port forwarding

My take (and I’m by no means an expert) is that Roon has no way of knowing how an individual user’s network is configured.
There are many variables.
This is part of why upnp exists.
Any router I’ve had has upnp enabled by default.
Arc worked for me with no configuration.
Which, I suspect, is the case for most people.
Support, both from Roon staff and Roon users is here for those for whom it hasn’t worked without tinkering.

The answer to your original question is yes, it’s safe.
In an already compromised system having upnp enabled could theoretically make exploiting that system marginally easier but nearly anyone with the skills to exploit you in the first place isn’t going to be stopped by having upnp disabled.

1 Like

By answering my questions.

1 Like

Okay, it’s a Leviton gigabit router, vintage early 2017. I don’t know the model. Provider is Breezeline cable through my own modem to the router then to an access point, all hard wired through to the Roon Core running on a NUC

Lol Jim. I appreciate you.

@Rex_Noel It might help to also know what modem you’re using as it may require a setting change too - Bridge mode.

1 Like

And, look at your router and get the model number. We’ll see if anyone else is using that make and model.