News / USA

US Government Warns of Hack Threat to Network Gear

The U.S. Department of Homeland Security urged computer users on Tuesday to disable a common networking technology feature, after researchers warned that hackers could exploit flaws to gain access to tens of millions of vulnerable devices.
The U.S. government's Computer Emergency Readiness Team, on its website, advised consumers and businesses to disable a feature known as Universal Plug and Play or UPnP, and some other related features that make devices from computers to printers accessible over the open Internet.
UPnP, a communications protocol, is designed to let networks identify and communicate with equipment, reducing the amount of work it takes to set up networks. Dave Marcus, chief architect of advanced research and threat intelligence with Intel's McAfee unit, said hackers would have a ``field day'' once the vulnerability in network devices is exposed.
"Historically, these are amongst the last to be updated and protected properly which makes them a gold mine for potential abuse and exploitation,'' said Marcus, who advises government agencies and corporations on protections against sophisticated attacks.
Disabling UPnP once networks have already been set up, will have little impact on the operation of the devices.
The new security bugs were initially brought to the attention of the government by computer security company Rapid7, in Boston, which released a report on the problem on Tuesday.

The company said it discovered between 40 million and 50 million devices that were vulnerable to attack due to three separate sets of problems that the firm's researchers have identified with the UPnP standard.
The flaws could allow hackers to access confidential files, steal passwords, take full control over PCs as well as remotely access devices such as webcams, printers and security systems, according to Rapid7.
Rapid7 has alerted electronics makers about the problem through the CERT Coordination Center, a group at the Carnegie Mellon Software Engineering Institute that helps researchers report vulnerabilities to affected companies.
"This is the most pervasive bug I've ever seen,'' said HD Moore, chief technology officer for Rapid7. He discussed the research with Reuters late on Monday.
CERT in turn has tried to contact the more than 200 companies whose products Rapid7 have identified as being vulnerable to attack, including Belkin, D-Link, Cisco Systems Inc's Linksys division and Netgear.

Linksys said it is aware of the problem. ``We recommend Linksys customers visit our website to understand if their home router is affected, and learn how to disable UPnP through the user interface to avoid being impacted,'' Linksys said in a statement.
Belkin, D-Link and Netgear did not respond to requests for comment.

Chris Wysopal, chief technology officer of security software firm Veracode, said he believed that publication of Rapid7's findings would draw widespread attention to the still emerging area of UPnP security, prompting other security researchers to search for more bugs in UPnP.
"This definitely falls into the scary category,'' said Wysopal, who reviewed Rapid7's findings ahead of their publication. "There is going to be a lot more research on this. And the follow-on research could be a lot scarier.''
Andres Andreu, chief architect at networking security company Bayshore Networks said they expect an increase in cybercrime as hackers begin to figure out ways to take advantage of the newly identified vulnerabilities.
"Simple targets such as home routers now become targets of greater interest,'' he said.

Taking Control
Moore said that there were bugs in most of the devices that Rapid7 tested and that device manufacturers will need to release software updates to remedy the problems.
He said that was unlikely to happen quickly.
In the meantime, he advised computer users to quickly use a free tool released by Rapid7 to identify vulnerable gear, then disable the UPnP functionality in that equipment.
Moore said hackers have not widely exploited the UPnP vulnerabilities to launch attacks, but both Moore and Wysopal expected they may start to do so after the findings are publicized.
Still, Moore said he decided to disclose the flaws in a bid to pressure equipment makers to fix the bugs and generally pay more attention to security.
People who own devices with UPnP enabled may not be aware of it because new routers, printers, media servers, Web cameras, storage drives and ``smart'' or Web-connected TVs are often shipped with that functionality turned on by default.
"You can't stay silent about something like this,'' he said. "These devices seem to have had the same level of core security for decades. Nobody seems to really care about them.''

Veracode's Wysopal said that some hackers have likely already exploited the flaws to launch attacks, but in relatively small numbers, choosing victims one at a time.
"If they are going after executives and government officials, then they will probably look for their home networks and exploit this vulnerability,'' he said.
Rapid7 has released a tool to help identify those devices on its website.

You May Like

Syrian Rebels Poised for Anti-Russia Collaboration

Forty-one insurgent groups issue joint statement vowing retaliation for Russian air offensives More

Political Maneuver Revives Export-Import Bank's Chances

Parliamentary tactic gets bill out of committee, but it faces opposition in the Senate More

Beijing Warns US on S. China Sea Patrols

Warning follows news reports Thursday that US military is planning to sail warships close to artificial islands Beijing has been aggressively building More

Featured Videos

Your JavaScript is turned off or you have an old version of Adobe's Flash Player. Get the latest Flash player.
House Republicans in Chaos as Speaker Favorite Withdrawsi
Jim Malone
October 09, 2015 12:32 AM
The Republican widely expected to become the next speaker of the House of Representatives shocked his colleagues Thursday by announcing he was withdrawing his candidacy. The decision by Majority Leader Kevin McCarthy means the race to succeed retiring Speaker John Boehner is now wide open. VOA National Correspondent Jim Malone reports.

Video House Republicans in Chaos as Speaker Favorite Withdraws

The Republican widely expected to become the next speaker of the House of Representatives shocked his colleagues Thursday by announcing he was withdrawing his candidacy. The decision by Majority Leader Kevin McCarthy means the race to succeed retiring Speaker John Boehner is now wide open. VOA National Correspondent Jim Malone reports.

Video German, US Officials Investigate Volkswagen

German officials have taken steps to restore some of the reputation their car industry has lost after a recent Volkswagen diesel emissions scandal. Authorities have searched Volkswagen headquarters and other locations in an effort to identify the culprits in the creation of software that helps cheat on emission tests. Meanwhile, a group of lawmakers in Washington held a hearing to get to the bottom of the cheating strategy that was first discovered in the United States. Zlatica Hoke reports.

Video Why Are Gun Laws So Hard for Congress to Tackle?

Since taking office, President Barack Obama has spoken out or issued statements about 15 mass shootings. The most recent shooting, in which 10 people were killed at a community college, sparked outrage over the nation's gun laws. But changing those laws isn't as easy as many think. VOA's Carolyn Presutti reports.

Video Hungary Criticized for Handling of Refugees

Amnesty International has accused Hungary of breaking multiple international and European human rights laws in its handling of the refugee crisis. As Henry Ridgwell reports, thousands of migrants and refugees continue to travel through the Balkans to Hungary every day.

Video Iraqi-Kurdish Teachers Vow to Continue Protest

Sixteen people were injured when police used tear gas and rubber bullets to disperse teachers and other public employees who took to the streets in Iraq’s Kurdish north, demanding their salaries from the Kurdish Regional Government (KRG). VOA’s Dilshad Anwar, in Sulaimaniya, caught up with protesting teachers who say they have not been paid for three months. Parke Brewer narrates his report.

Video Syrian Village Community Faces Double Displacement in Lebanon

Driven by war from their village in southwestern Syria, a group of families found shelter in Lebanon, resettling en masse in a half-built university to form one of the biggest settlements of its kind in Lebanon. Three years later, however, they now face being kicked out and dispersed in a country where finding shelter as a refugee can be especially tough. John Owens has more for VOA from the city of Saida, also known as Sidon.

Video Bat Colony: Unusual Tourist Attraction in Texas

The action hero Batman might be everyone’s favorite but real bats hardly get that kind of adoration. Put more than a million of these creatures of the night together and it only evokes images of horror. Sarah Zaman visited the largest urban bat colony in North America to see just how well bat and human get along with each other.

Video Device Shows Promise of Stopping Motion Sickness

It’s a sickening feeling — the dizziness, nausea and vomiting that comes with motion sickness. But a device now being developed could stop motion sickness by suppressing certain signals in the brain. VOA’s Deborah Block reports.

Video Making a Mint

While apples, corn, and cranberries top the list of fall produce in the US, it’s also the time to harvest gum, candy, and toothpaste—or at least the oil that makes them minty fresh. Erika Celeste reports from South Bend, Indiana on the mint harvest.

Video Activists Decry Lagos Slum Demolition

Acting on a court order, authorities in Nigeria demolished a slum last month in the commercial capital, Lagos. But human rights activists say the order was illegal, and the community was razed to make way for a government housing project. Chris Stein has more from Lagos.

Video TPP Agreed, But Faces Stiff Opposition

President Barack Obama promoted the Trans-Pacific Partnership on Tuesday, one day after 12 Pacific Rim nations reached the free trade deal in Atlanta. The controversial pact that would involve about 40 percent of global trade still needs approval by lawmakers in respective countries. Zlatica Hoke reports Obama is facing strong opposition to the deal, including from members of his own party.

Video Ukranian Artist Portrays Putin in an Unusual Way

As Russian President Vladimir Putin was addressing the United Nations in New York last month, he was also being featured in an art exhibition in Washington. It’s not a flattering exhibit. It’s done by a Ukrainian artist in a unique medium. And its creator says it’s not only a work of art - it’s a political statement. VOA’s Tetiana Kharchenko has more.

VOA Blogs