Devil's advocate here, and let me start by saying that my client is almost completely innocent, it's just an unfortunate misundertanding!
Sure, UPnP IGD might have not been designed with much emphasis on security. But if some manufacturer implements it in a way that it accepts requests from WAN, you can't seriously want to blame UPnP for that, it's royal screw up on manufacturer's part. It must be obvious to everyone, just from missing authentication (which, granted, might be seen by some as unfortunate design decision, but what can you do if it's supposed to "just work") that UPnP was meant for LAN.
Another complaint was about ability to forward ports to external addresses (RouterOS allows that, btw). Again, blaming UPnP is not exactly fair. It might look bad at first, but take a closer look and you'll find out that it's actually useful feature. You might be tempted to limit port forwards only to requesting machine, but it's not hard to imagine legitimate scenarios where one machine controls port forwarding for others. And regarding internal vs. external addresses, it's not that simple. You can't just limit it to local /24 (typically), because you can have larger internal network with multiple subnets. And even if they are not all able to talk to UPnP server directly, there's again the "controller" scenario. You can't simply throw this all out as wrong.
But my client is prepared to admit, that external addresses might be bad in typical "clueless home user" scenario, and a recommendation should be made for manufacturers, to evaluate a possibility to perhaps add some additional limits by default.
In conclusion, UPnP did nothing wrong, it's a victim too. It just comes from older, simpler times, when there was more trust and less evil hackers. It just aimed to make the world a nicer place, where things would work better and with less effort. It couldn't predict that there would be so many bad people who's malicious actions would ruin this beatiful vision. Even if you don't like UPnP IGD, you still have to admit that you do need something similar, you do need something to control incoming connections. Do you remember current recommedation for IPv6, to block incoming connections by default? You need some way to deal with that. There is one (PCP
), more modern, with autentication, etc. So by all means, take that one and view UPnP IGD as outdated if you wish. But please don't be harsh on poor UPnP!
And btw, the request was for client
, it couldn't do much harm, if any. Not counting development time, which given that it's not exactly a high priority feature, can be spent better on something else, that's for sure.