News / USA

US Government Warns of Hack Threat to Network Gear

x
Reuters
The U.S. Department of Homeland Security urged computer users on Tuesday to disable a common networking technology feature, after researchers warned that hackers could exploit flaws to gain access to tens of millions of vulnerable devices.
       
The U.S. government's Computer Emergency Readiness Team, on its website, advised consumers and businesses to disable a feature known as Universal Plug and Play or UPnP, and some other related features that make devices from computers to printers accessible over the open Internet.
       
UPnP, a communications protocol, is designed to let networks identify and communicate with equipment, reducing the amount of work it takes to set up networks. Dave Marcus, chief architect of advanced research and threat intelligence with Intel's McAfee unit, said hackers would have a ``field day'' once the vulnerability in network devices is exposed.
       
"Historically, these are amongst the last to be updated and protected properly which makes them a gold mine for potential abuse and exploitation,'' said Marcus, who advises government agencies and corporations on protections against sophisticated attacks.
       
Disabling UPnP once networks have already been set up, will have little impact on the operation of the devices.
       
The new security bugs were initially brought to the attention of the government by computer security company Rapid7, in Boston, which released a report on the problem on Tuesday.

The company said it discovered between 40 million and 50 million devices that were vulnerable to attack due to three separate sets of problems that the firm's researchers have identified with the UPnP standard.
       
The flaws could allow hackers to access confidential files, steal passwords, take full control over PCs as well as remotely access devices such as webcams, printers and security systems, according to Rapid7.
    
Rapid7 has alerted electronics makers about the problem through the CERT Coordination Center, a group at the Carnegie Mellon Software Engineering Institute that helps researchers report vulnerabilities to affected companies.
      
"This is the most pervasive bug I've ever seen,'' said HD Moore, chief technology officer for Rapid7. He discussed the research with Reuters late on Monday.
       
CERT in turn has tried to contact the more than 200 companies whose products Rapid7 have identified as being vulnerable to attack, including Belkin, D-Link, Cisco Systems Inc's Linksys division and Netgear.

Linksys said it is aware of the problem. ``We recommend Linksys customers visit our website to understand if their home router is affected, and learn how to disable UPnP through the user interface to avoid being impacted,'' Linksys said in a statement.
       
Belkin, D-Link and Netgear did not respond to requests for comment.

Chris Wysopal, chief technology officer of security software firm Veracode, said he believed that publication of Rapid7's findings would draw widespread attention to the still emerging area of UPnP security, prompting other security researchers to search for more bugs in UPnP.
       
"This definitely falls into the scary category,'' said Wysopal, who reviewed Rapid7's findings ahead of their publication. "There is going to be a lot more research on this. And the follow-on research could be a lot scarier.''
       
Andres Andreu, chief architect at networking security company Bayshore Networks said they expect an increase in cybercrime as hackers begin to figure out ways to take advantage of the newly identified vulnerabilities.
       
"Simple targets such as home routers now become targets of greater interest,'' he said.

Taking Control
       
Moore said that there were bugs in most of the devices that Rapid7 tested and that device manufacturers will need to release software updates to remedy the problems.
       
He said that was unlikely to happen quickly.
       
In the meantime, he advised computer users to quickly use a free tool released by Rapid7 to identify vulnerable gear, then disable the UPnP functionality in that equipment.
       
Moore said hackers have not widely exploited the UPnP vulnerabilities to launch attacks, but both Moore and Wysopal expected they may start to do so after the findings are publicized.
       
Still, Moore said he decided to disclose the flaws in a bid to pressure equipment makers to fix the bugs and generally pay more attention to security.
       
People who own devices with UPnP enabled may not be aware of it because new routers, printers, media servers, Web cameras, storage drives and ``smart'' or Web-connected TVs are often shipped with that functionality turned on by default.
       
"You can't stay silent about something like this,'' he said. "These devices seem to have had the same level of core security for decades. Nobody seems to really care about them.''

Veracode's Wysopal said that some hackers have likely already exploited the flaws to launch attacks, but in relatively small numbers, choosing victims one at a time.
       
"If they are going after executives and government officials, then they will probably look for their home networks and exploit this vulnerability,'' he said.
       
Rapid7 has released a tool to help identify those devices on its website.

You May Like

Multimedia Obama, Modi Break Nuclear Deal Deadlock

Impasse over liability issues had been stalling bilateral civilian nuclear cooperation; deal reached at start of US president's three-day visit to India More

WHO's Late Efforts in Tackling Ebola Highlight Need for Reform

Health experts debate measures to reform agency’s response to global public health emergencies in special one-day session on deadly outbreak More

One Tumultuous Year in Power for CAR's President

As sectarian violence raged across Central African Republic, interim President Catherine Samba-Panza has Herculean task: to end civil war and put country back on right track More

Featured Videos

Your JavaScript is turned off or you have an old version of Adobe's Flash Player. Get the latest Flash player.
Worldwide Photo Workshops Empower Youthi
X
Julie Taboh
January 23, 2015 11:08 PM
Last September, 20 young adults from South Sudan took part in a National Geographic Photo Camp. They are among hundreds of students from around the world who have learned how to use a camera to tell the stories of the people in their communities through the powerful medium of photography. Three camp participants talked about their experiences recently on a visit to Washington. VOA’s Julie Taboh reports.
Video

Video Worldwide Photo Workshops Empower Youth

Last September, 20 young adults from South Sudan took part in a National Geographic Photo Camp. They are among hundreds of students from around the world who have learned how to use a camera to tell the stories of the people in their communities through the powerful medium of photography. Three camp participants talked about their experiences recently on a visit to Washington. VOA’s Julie Taboh reports.
Video

Video US, Japan Offer Lessons as Eurozone Launches Huge Stimulus

The Euro currency has fallen sharply after the European Central Bank announced a bigger-than-expected $67 billion-a-month quantitative easing program Thursday - commonly seen as a form of printing new money. Henry Ridgwell reports for VOA from London on whether the move might rescue the eurozone economy -- and what lessons have been learned from similar programs around the world.
Video

Video Nigerian Elections Pose Concern of Potential Conflict in 'Middle Belt'

Nigeria’s north-central state of Kaduna has long been the site of fighting between Muslims and Christians as well as between people of different ethnic groups. As the February elections approach, community and religious leaders are making plans they hope will keep the streets calm after results are announced. Chris Stein reports from the state capital, Kaduna.
Video

Video As Viewership Drops, Obama Puts His Message on YouTube

Ratings reports show President Obama’s State of the Union address this week drew the lowest number of viewers for this annual speech in 15 years. White House officials anticipated this, and the president has decided to take a non-traditional approach to getting his message out. VOA White House correspondent Luis Ramirez reports.
Video

Video S. Korean Businesses Want to End Trade Restrictions With North

Business leaders in South Korea are calling for President Park Geun-hye to ease trade restrictions with North Korea that were put in place in 2010 after the sinking of a South Korean warship.Pro-business groups argue that expanding trade and investment is not only good for business, it is also good for long-term regional peace and security. VOA’s Brian Padden reports.
Video

Video US Marching Bands Grow Into a Show of Their Own

The 2014 Super Bowl halftime show was the most-watched in history - attracting an estimated 115 million viewers. That event featured pop star Bruno Mars. But the halftime show tradition started with marching bands, which still dominate the entertainment at U.S. high school and college American football games. But as Enming Liu reports in this story narrated by Adrianna Zhang, marching bands have grown into a show of their own.
Video

Video Secular, Religious Kurds Face Off in Southeast Turkey

Turkey’s predominantly Kurdish southeast has been rocked by violence between religious and secular Kurds. Dorian Jones reports on the reasons behind the stand-off from the region's main city of Diyarbakir, which suffered the bloodiest fighting.
Video

Video Kenya: Misuse of Antibiotics Leading to Resistance by Immune System

In Kenya, the rise of drug resistant bacteria could reverse the gains made by medical science over diseases that were once treatable. Kenyans could be at risk of fatalities as a result if the power in antibiotics is not preserved. Lenny Ruvaga has more on the story from Nairobi.
Video

Video Solar-Powered Plane Getting Ready to Circumnavigate Globe

Pilots of the solar plane that already set records flying without a drop of fuel are close to making their first attempt to fly the craft around the globe. They plan to do it in 25 flying days over a five month period. VOA’s George Putic reports.
Video

Video How Experts Decide Ethiopia Has the Best Coffee

Ethiopia’s coffee has been ranked as the best in the world by an international group of coffee connoisseurs. Not surprisingly, coffee is a top export for the country. But at home it is a source of pride. Marthe van der Wolf in Addis Ababa decided to find out what makes the bean and brew so special and how experts make their determinations.
Video

Video Yazidi Refugees at Center of Political Fight Between Turkey, Kurds

The treatment of thousands of Yazidis refugees who fled to Turkey to escape attacks by Islamic State militants has become the center of a dispute between the Turkish government and the country's pro-Kurdish movement. VOA's Dorian Jones reports.
Video

Video World’s Richest 1% Forecast to Own More Than Half of Global Wealth

The combined wealth of the world's richest 1 percent will overtake that of the remaining 99 percent at some point in 2016, according to the anti-poverty charity Oxfam. Campaigners are demanding that policymakers take action to address the widening gap between the ‘haves’ and the ‘have nots’, as Henry Ridgwell reports for VOA from London.

Circumventing Censorship

An Internet Primer for Healthy Web Habits

As surveillance and censoring technologies advance, so, too, do new tools for your computer or mobile device that help protect your privacy and break through Internet censorship.
More

All About America

AppleAndroid