News / USA

US Government Warns of Hack Threat to Network Gear

x
Reuters
The U.S. Department of Homeland Security urged computer users on Tuesday to disable a common networking technology feature, after researchers warned that hackers could exploit flaws to gain access to tens of millions of vulnerable devices.
       
The U.S. government's Computer Emergency Readiness Team, on its website, advised consumers and businesses to disable a feature known as Universal Plug and Play or UPnP, and some other related features that make devices from computers to printers accessible over the open Internet.
       
UPnP, a communications protocol, is designed to let networks identify and communicate with equipment, reducing the amount of work it takes to set up networks. Dave Marcus, chief architect of advanced research and threat intelligence with Intel's McAfee unit, said hackers would have a ``field day'' once the vulnerability in network devices is exposed.
       
"Historically, these are amongst the last to be updated and protected properly which makes them a gold mine for potential abuse and exploitation,'' said Marcus, who advises government agencies and corporations on protections against sophisticated attacks.
       
Disabling UPnP once networks have already been set up, will have little impact on the operation of the devices.
       
The new security bugs were initially brought to the attention of the government by computer security company Rapid7, in Boston, which released a report on the problem on Tuesday.

The company said it discovered between 40 million and 50 million devices that were vulnerable to attack due to three separate sets of problems that the firm's researchers have identified with the UPnP standard.
       
The flaws could allow hackers to access confidential files, steal passwords, take full control over PCs as well as remotely access devices such as webcams, printers and security systems, according to Rapid7.
    
Rapid7 has alerted electronics makers about the problem through the CERT Coordination Center, a group at the Carnegie Mellon Software Engineering Institute that helps researchers report vulnerabilities to affected companies.
      
"This is the most pervasive bug I've ever seen,'' said HD Moore, chief technology officer for Rapid7. He discussed the research with Reuters late on Monday.
       
CERT in turn has tried to contact the more than 200 companies whose products Rapid7 have identified as being vulnerable to attack, including Belkin, D-Link, Cisco Systems Inc's Linksys division and Netgear.

Linksys said it is aware of the problem. ``We recommend Linksys customers visit our website to understand if their home router is affected, and learn how to disable UPnP through the user interface to avoid being impacted,'' Linksys said in a statement.
       
Belkin, D-Link and Netgear did not respond to requests for comment.

Chris Wysopal, chief technology officer of security software firm Veracode, said he believed that publication of Rapid7's findings would draw widespread attention to the still emerging area of UPnP security, prompting other security researchers to search for more bugs in UPnP.
       
"This definitely falls into the scary category,'' said Wysopal, who reviewed Rapid7's findings ahead of their publication. "There is going to be a lot more research on this. And the follow-on research could be a lot scarier.''
       
Andres Andreu, chief architect at networking security company Bayshore Networks said they expect an increase in cybercrime as hackers begin to figure out ways to take advantage of the newly identified vulnerabilities.
       
"Simple targets such as home routers now become targets of greater interest,'' he said.

Taking Control
       
Moore said that there were bugs in most of the devices that Rapid7 tested and that device manufacturers will need to release software updates to remedy the problems.
       
He said that was unlikely to happen quickly.
       
In the meantime, he advised computer users to quickly use a free tool released by Rapid7 to identify vulnerable gear, then disable the UPnP functionality in that equipment.
       
Moore said hackers have not widely exploited the UPnP vulnerabilities to launch attacks, but both Moore and Wysopal expected they may start to do so after the findings are publicized.
       
Still, Moore said he decided to disclose the flaws in a bid to pressure equipment makers to fix the bugs and generally pay more attention to security.
       
People who own devices with UPnP enabled may not be aware of it because new routers, printers, media servers, Web cameras, storage drives and ``smart'' or Web-connected TVs are often shipped with that functionality turned on by default.
       
"You can't stay silent about something like this,'' he said. "These devices seem to have had the same level of core security for decades. Nobody seems to really care about them.''

Veracode's Wysopal said that some hackers have likely already exploited the flaws to launch attacks, but in relatively small numbers, choosing victims one at a time.
       
"If they are going after executives and government officials, then they will probably look for their home networks and exploit this vulnerability,'' he said.
       
Rapid7 has released a tool to help identify those devices on its website.

You May Like

Could Nemtsov Threaten Putin in Death as in Life?

Dynamic and debonair opposition leader had supported liberal economic reforms, criticized Russian president's aggression in Ukraine More

Oil Smuggling Highlights Challenges in Shutting Down IS Finances

Pentagon spokesman says Islamic State 'certainly continues to get revenue from the oil industry black market' but that airstrikes have made a dent More

India Focuses on Infrastructure, Investment to Propel Economy

Government expects economy to grow at 8 to 8.5 percent in next fiscal year More

Featured Videos

Your JavaScript is turned off or you have an old version of Adobe's Flash Player. Get the latest Flash player.
US Supreme Court Hears Hijab Discrimination Casei
X
Katherine Gypson
February 25, 2015 11:30 PM
The U.S. Supreme Court has heard opening arguments in a workplace religious discrimination case that examines whether a clothing store can refuse to hire a young woman for wearing the headscarf she says is a symbol of her Muslim faith. Katherine Gypson reports from the Supreme Court.
Video

Video US Supreme Court Hears Hijab Discrimination Case

The U.S. Supreme Court has heard opening arguments in a workplace religious discrimination case that examines whether a clothing store can refuse to hire a young woman for wearing the headscarf she says is a symbol of her Muslim faith. Katherine Gypson reports from the Supreme Court.
Video

Video Falling Gas Prices Hurt Nascent Illinois Hydraulic Fracturing Industry

Falling oil prices are helping consumers purchase cheaper petroleum at the pump. But that’s made hydraulic fracturing or “fracking” less economically viable for the companies in the United States invested in the process. VOA’s Kane Farabaugh reports on one Midwestern town that was hoping to change its fortunes by cashing in on the next big U.S. oil boom.
Video

Video Fighting in Sudan's South Kordofan Fuels Mass Displacement

Heavy fighting in Sudan's South Kordofan state is causing hundreds of thousands to flee into uncertain conditions. Local aid organizations estimate as many as 400,000 civilians have been internally displaced since the conflict began more than three years ago, while another 250,000 have fled across the border to refugee camps in South Sudan. VOA's Adam Bailes reports.
Video

Video Lao Dam Project Runs Into Opposition

A Lao dam project on a section of the Mekong River is drawing opposition from local fishermen, international environmental groups and neighboring countries. VOA's Say Mony visited the region to investigate the concerns. Colin Lovett narrates.
Video

Video A Filmmaker Discovers Her Biracial Identity in "Little White Lie

Lacey Schwartz grew up in an upper middle-class Jewish family, in a town in upstate New York where almost everyone she knew was white. She assumed that she was, as well. Her recent documentary, Little White Lie, tells the story of how she uncovered the secret of her true racial background. VOA’s Carolyn Weaver has more on the film.
Video

Video Deep Under Antarctic Ice Sheet, Life!

With the end of summer in the Southern hemisphere, the Antarctic research season is over. Scientists from Northern Illinois University are back in their laboratory after a 3-month expedition on the Ross Ice Shelf, the world’s largest floating ice sheet. As VOA’s Rosanne Skirble reports, they hope to find clues to explain the dynamics of the rapidly melting ice and its impact on sea level rise.
Video

Video US-Cuba Normalization Talks Resume Friday

Negotiations aimed at normalizing diplomatic relations between the U.S. and Cuba resume Friday. On the table: lifting a half-century trade embargo and easing banking and travel restrictions. There's opposition in Congress, but some analysts say there may be sufficient political and economic incentives in both nations for a potential breakthrough this year. VOA's Mil Arcega reports.
Video

Video Pakistan's Deadline For SIM Registration Has Cellphone Users Scrambling

Pakistani cell phone users have until midnight Thursday to register their SIM cards, or their service will be cut off. While some privacy experts worry about government intrusion, many Pakistanis are just worried about keeping their phone lines open. VOA Deewa reporter Arshad Muhmand has more from Peshawar.
Video

Video Myanmar Warns Factory Workers to End Strikes

Outside Myanmar's main city Yangon, thousands of workers walked off their jobs earlier this month demanding a doubling of their wages, pay raises after a year and input from labor unions on industrial regulations. Since Friday, the standoff has grown more tense as police moved in to disrupt the sit-ins, resulting in clashes that injured people from both sides. VOA correspondent Steve Herman visited industrial zones which have become a focus of Myanmar's fledgling workers rights movement.
Video

Video Oscar Winners Do More Than Thank the Academy

The Academy Awards presentation is Hollywood’s night to reward the best movies from the previous year. It’s typically a lot of glitter, a lot of thank you’s, a lot of speeches. But many of this year’s speeches carried messages beyond the thank you's. VOA’s Carolyn Presutti takes a look.

All About America

Circumventing Censorship

An Internet Primer for Healthy Web Habits

As surveillance and censoring technologies advance, so, too, do new tools for your computer or mobile device that help protect your privacy and break through Internet censorship.
More