News / USA

US Government Warns of Hack Threat to Network Gear

x
Reuters
The U.S. Department of Homeland Security urged computer users on Tuesday to disable a common networking technology feature, after researchers warned that hackers could exploit flaws to gain access to tens of millions of vulnerable devices.
       
The U.S. government's Computer Emergency Readiness Team, on its website, advised consumers and businesses to disable a feature known as Universal Plug and Play or UPnP, and some other related features that make devices from computers to printers accessible over the open Internet.
       
UPnP, a communications protocol, is designed to let networks identify and communicate with equipment, reducing the amount of work it takes to set up networks. Dave Marcus, chief architect of advanced research and threat intelligence with Intel's McAfee unit, said hackers would have a ``field day'' once the vulnerability in network devices is exposed.
       
"Historically, these are amongst the last to be updated and protected properly which makes them a gold mine for potential abuse and exploitation,'' said Marcus, who advises government agencies and corporations on protections against sophisticated attacks.
       
Disabling UPnP once networks have already been set up, will have little impact on the operation of the devices.
       
The new security bugs were initially brought to the attention of the government by computer security company Rapid7, in Boston, which released a report on the problem on Tuesday.

The company said it discovered between 40 million and 50 million devices that were vulnerable to attack due to three separate sets of problems that the firm's researchers have identified with the UPnP standard.
       
The flaws could allow hackers to access confidential files, steal passwords, take full control over PCs as well as remotely access devices such as webcams, printers and security systems, according to Rapid7.
    
Rapid7 has alerted electronics makers about the problem through the CERT Coordination Center, a group at the Carnegie Mellon Software Engineering Institute that helps researchers report vulnerabilities to affected companies.
      
"This is the most pervasive bug I've ever seen,'' said HD Moore, chief technology officer for Rapid7. He discussed the research with Reuters late on Monday.
       
CERT in turn has tried to contact the more than 200 companies whose products Rapid7 have identified as being vulnerable to attack, including Belkin, D-Link, Cisco Systems Inc's Linksys division and Netgear.

Linksys said it is aware of the problem. ``We recommend Linksys customers visit our website to understand if their home router is affected, and learn how to disable UPnP through the user interface to avoid being impacted,'' Linksys said in a statement.
       
Belkin, D-Link and Netgear did not respond to requests for comment.

Chris Wysopal, chief technology officer of security software firm Veracode, said he believed that publication of Rapid7's findings would draw widespread attention to the still emerging area of UPnP security, prompting other security researchers to search for more bugs in UPnP.
       
"This definitely falls into the scary category,'' said Wysopal, who reviewed Rapid7's findings ahead of their publication. "There is going to be a lot more research on this. And the follow-on research could be a lot scarier.''
       
Andres Andreu, chief architect at networking security company Bayshore Networks said they expect an increase in cybercrime as hackers begin to figure out ways to take advantage of the newly identified vulnerabilities.
       
"Simple targets such as home routers now become targets of greater interest,'' he said.

Taking Control
       
Moore said that there were bugs in most of the devices that Rapid7 tested and that device manufacturers will need to release software updates to remedy the problems.
       
He said that was unlikely to happen quickly.
       
In the meantime, he advised computer users to quickly use a free tool released by Rapid7 to identify vulnerable gear, then disable the UPnP functionality in that equipment.
       
Moore said hackers have not widely exploited the UPnP vulnerabilities to launch attacks, but both Moore and Wysopal expected they may start to do so after the findings are publicized.
       
Still, Moore said he decided to disclose the flaws in a bid to pressure equipment makers to fix the bugs and generally pay more attention to security.
       
People who own devices with UPnP enabled may not be aware of it because new routers, printers, media servers, Web cameras, storage drives and ``smart'' or Web-connected TVs are often shipped with that functionality turned on by default.
       
"You can't stay silent about something like this,'' he said. "These devices seem to have had the same level of core security for decades. Nobody seems to really care about them.''

Veracode's Wysopal said that some hackers have likely already exploited the flaws to launch attacks, but in relatively small numbers, choosing victims one at a time.
       
"If they are going after executives and government officials, then they will probably look for their home networks and exploit this vulnerability,'' he said.
       
Rapid7 has released a tool to help identify those devices on its website.

You May Like

Photogallery Early Nigeria Results Show Buhari Leading; Tampering Concerns Mount

One local group monitoring polls is concerned politicians might use security agencies to 'fiddle with the election collation process' at state level More

UN: 7,300 Civilians Killed in Boko Haram Insurgency

A senior UN humanitarian official tells the United Nations Security Council 1,000 people have been killed this year More

Turkish President Warns Iran About Trying to Dominate Middle East

Warning comes amid growing concerns inside Turkey that it will be sucked into a sectarian conflict with its neighbor More

Featured Videos

Your JavaScript is turned off or you have an old version of Adobe's Flash Player. Get the latest Flash player.
Film Tells Story of Musicians in Mali Threatened by Jihadistsi
X
Greg Flakus
March 30, 2015 6:48 PM
At this year's annual South by Southwest film and music festival in Austin, Texas, some musicians from Mali were on hand to promote a film about how their lives were upturned by jihadists who destroyed ancient treasures in the city of Timbuktu and prohibited anyone from playing music under threat of death. As VOA’s Greg Flakus reports from Austin, some are afraid to return to their hometowns even though the jihadists are no longer in control there.
Video

Video Film Tells Story of Musicians in Mali Threatened by Jihadists

At this year's annual South by Southwest film and music festival in Austin, Texas, some musicians from Mali were on hand to promote a film about how their lives were upturned by jihadists who destroyed ancient treasures in the city of Timbuktu and prohibited anyone from playing music under threat of death. As VOA’s Greg Flakus reports from Austin, some are afraid to return to their hometowns even though the jihadists are no longer in control there.
Video

Video With Coalition Airstrikes, Iraq Entering 'Last Page' of IS Battle

American warplanes joined Iraq's battle against the so-called 'Islamic State' in northern Iraq late Wednesday, as Iraqi ground troops launched a massive assault on Tikrit. Analysts say the offensive could take the coalition a step further towards Mosul, the largest city held by Islamic State forces. Others say it could also deepen already-dangerous sectarian tensions in the region. VOA's Heather Murdock has more from Cairo.
Video

Video Philippines Wants Tourists Spending Money at New Casinos

Tourism is a multi-billion dollar industry in the Philippines. Close to five million foreign visitors traveled there last year, perhaps lured by the country’s tropical beaches. But Jason Strother reports from Manila that the country hopes to entice more travelers to stay indoors and spend money inside new casinos.
Video

Video Civilian Casualties Push Men to Join Rebels in Ukraine

The continued fighting in eastern Ukraine and the shelling of civilian neighborhoods seem to be pushing more men to join the separatist fighters. Many of the new recruits are residents of Ukraine made bitter by new grievances, as well as old. VOA's Patrick Wells reports.
Video

Video Islamic State Prisoners Talk of Curiosity, God, Regret

Islamic State fighter, a prisoner of Kurdish YPG forces, asked his family asking for forgiveness: "I destroyed myself and I destroyed them along with me." The Syrian youth was one of two detainees who spoke to VOA’s Kurdish Service about the path they chose; their names have been changed and identifying details obscured. VOA's Zana Omer reports.
Video

Video Germanwings Findings Raise Issue of Psychological Testing for Pilots

More is being discovered about the co-pilot in the crash of Germanwings Flight 9525 in the French Alps. Investigators say he was hiding a medical condition, raising questions about the mental qualifications of pilots. VOA's Carolyn Presutti reports.
Video

Video Hi-tech Motorbike Helmet's Goal: Improve Road Safety

In cities with heavily congested traffic, people can get around much faster on a motorcycle than in a car. But a rider who is not sure of his route may have to stop to look at the map or consult a GPS. A Russian start-up company is working to make navigation easier for motorcyclists. Designers at Moscow-based LiveMap are developing a smart helmet with a built-in navigation system, head-mounted display and voice recognition. Zlatica Hoke has more.
Video

Video DOJ: Illinois National Guard Soldier Tried to Join ISIS

U.S. federal law enforcement agents arrested two suburban Chicago men accused of trying to join ISIS overseas, while also plotting attacks in the United States. As VOA’s Kane Farabaugh reports from the Midwest state of Illinois, one of those arrested is a soldier of the Illinois National Guard.
Video

Video New Wheelchair Is Easier to Use, Increases Mobility

Traditional push-rim wheelchairs create a lot of stress for arm, shoulder and neck muscles and joints. A redesigned chair, based on readily available bicycle technology, radically increases mobility while reducing the physical effort. VOA’s George Putic reports.
Video

Video Liberia's Almost Last Ebola Patient Grateful but Still Grieving

Beatrice Yardolo was to make history as Liberia’s last Ebola patient. Liberians recently started counting down 42 days, the period that has to go by without a single new infection until the World Health Organization can declare a country Ebola-free. That countdown stopped on March 20 when there was another new case of Ebola, making Yardolo’s story a reminder that Ebola is far from over. Benno Muchler reports from Monrovia.
Video

Video Cambodian Land Grabs Threaten Traditional Communities

Indigenous communities in Cambodia's Ratanakiri province say the government’s economic land concession policy is taking away their land and traditional way of life, making many fear that their identity will soon be lost. Local authorities, though, have denied this is the case. VOA's Say Mony went to investigate and filed this report, narrated by Colin Lovett.
Video

Video Space Program Status Disappoints 'Last Man on the Moon'

One of the films that drew big crowds last week at the annual South by Southwest festival in Austin, Texas, tells the story of the last human being to stand on the moon, U.S. astronaut Eugene Cernan. It has been 42 years since Cernan returned from the moon and he laments that no one else has gone there since. VOA’s Greg Flakus reports.

VOA Blogs

Circumventing Censorship

An Internet Primer for Healthy Web Habits

As surveillance and censoring technologies advance, so, too, do new tools for your computer or mobile device that help protect your privacy and break through Internet censorship.
More