News / USA

US Government Warns of Hack Threat to Network Gear

x
Reuters
The U.S. Department of Homeland Security urged computer users on Tuesday to disable a common networking technology feature, after researchers warned that hackers could exploit flaws to gain access to tens of millions of vulnerable devices.
       
The U.S. government's Computer Emergency Readiness Team, on its website, advised consumers and businesses to disable a feature known as Universal Plug and Play or UPnP, and some other related features that make devices from computers to printers accessible over the open Internet.
       
UPnP, a communications protocol, is designed to let networks identify and communicate with equipment, reducing the amount of work it takes to set up networks. Dave Marcus, chief architect of advanced research and threat intelligence with Intel's McAfee unit, said hackers would have a ``field day'' once the vulnerability in network devices is exposed.
       
"Historically, these are amongst the last to be updated and protected properly which makes them a gold mine for potential abuse and exploitation,'' said Marcus, who advises government agencies and corporations on protections against sophisticated attacks.
       
Disabling UPnP once networks have already been set up, will have little impact on the operation of the devices.
       
The new security bugs were initially brought to the attention of the government by computer security company Rapid7, in Boston, which released a report on the problem on Tuesday.

The company said it discovered between 40 million and 50 million devices that were vulnerable to attack due to three separate sets of problems that the firm's researchers have identified with the UPnP standard.
       
The flaws could allow hackers to access confidential files, steal passwords, take full control over PCs as well as remotely access devices such as webcams, printers and security systems, according to Rapid7.
    
Rapid7 has alerted electronics makers about the problem through the CERT Coordination Center, a group at the Carnegie Mellon Software Engineering Institute that helps researchers report vulnerabilities to affected companies.
      
"This is the most pervasive bug I've ever seen,'' said HD Moore, chief technology officer for Rapid7. He discussed the research with Reuters late on Monday.
       
CERT in turn has tried to contact the more than 200 companies whose products Rapid7 have identified as being vulnerable to attack, including Belkin, D-Link, Cisco Systems Inc's Linksys division and Netgear.

Linksys said it is aware of the problem. ``We recommend Linksys customers visit our website to understand if their home router is affected, and learn how to disable UPnP through the user interface to avoid being impacted,'' Linksys said in a statement.
       
Belkin, D-Link and Netgear did not respond to requests for comment.

Chris Wysopal, chief technology officer of security software firm Veracode, said he believed that publication of Rapid7's findings would draw widespread attention to the still emerging area of UPnP security, prompting other security researchers to search for more bugs in UPnP.
       
"This definitely falls into the scary category,'' said Wysopal, who reviewed Rapid7's findings ahead of their publication. "There is going to be a lot more research on this. And the follow-on research could be a lot scarier.''
       
Andres Andreu, chief architect at networking security company Bayshore Networks said they expect an increase in cybercrime as hackers begin to figure out ways to take advantage of the newly identified vulnerabilities.
       
"Simple targets such as home routers now become targets of greater interest,'' he said.

Taking Control
       
Moore said that there were bugs in most of the devices that Rapid7 tested and that device manufacturers will need to release software updates to remedy the problems.
       
He said that was unlikely to happen quickly.
       
In the meantime, he advised computer users to quickly use a free tool released by Rapid7 to identify vulnerable gear, then disable the UPnP functionality in that equipment.
       
Moore said hackers have not widely exploited the UPnP vulnerabilities to launch attacks, but both Moore and Wysopal expected they may start to do so after the findings are publicized.
       
Still, Moore said he decided to disclose the flaws in a bid to pressure equipment makers to fix the bugs and generally pay more attention to security.
       
People who own devices with UPnP enabled may not be aware of it because new routers, printers, media servers, Web cameras, storage drives and ``smart'' or Web-connected TVs are often shipped with that functionality turned on by default.
       
"You can't stay silent about something like this,'' he said. "These devices seem to have had the same level of core security for decades. Nobody seems to really care about them.''

Veracode's Wysopal said that some hackers have likely already exploited the flaws to launch attacks, but in relatively small numbers, choosing victims one at a time.
       
"If they are going after executives and government officials, then they will probably look for their home networks and exploit this vulnerability,'' he said.
       
Rapid7 has released a tool to help identify those devices on its website.

You May Like

Disappointing Report on China's Economy Shakes Markets

In London and New York shares lost 3 percent, while Paris and Germany dropped around 2.4 percent More

DRC Tries Mega-Farms to Feed Population

Park at Boukanga Lonzo currently has 5,000 hectares under cultivation, crops stretching as far as eye can see, and is start of ambitious large-scale agriculture plan More

Video War, Drought Threaten Iraq's Marshlands

Areas are spawning ground for Gulf fisheries, a resting place for migrating wildfowl, source of livelihood for fishermen and herders who have called the marshes home for generations More

Featured Videos

Your JavaScript is turned off or you have an old version of Adobe's Flash Player. Get the latest Flash player.
Nobel Prize Winner Malala Talks to VOAi
X
August 31, 2015 2:17 AM
Nobel Peace Prize winner Malala Yousafzai met with VOA's Deewa service in Washington Sunday to talk about women’s rights and unveil a trailer for her new documentary. VOA's Katherine Gypson has more.
Video

Video Nobel Prize Winner Malala Talks to VOA

Nobel Peace Prize winner Malala Yousafzai met with VOA's Deewa service in Washington Sunday to talk about women’s rights and unveil a trailer for her new documentary. VOA's Katherine Gypson has more.
Video

Video War, Drought Threaten Iraq's Marshlands

Iraq's southern wetlands are in crisis. These areas are the spawning ground for Gulf fisheries, a resting place for migrating wildfowl, and source of livelihood for fishermen and herders. Faith Lapidus has more.
Video

Video Colombians Flee Venezuela as Border Crisis Escalates

Hundreds of Colombians have fled Venezuela since last week, amid an escalating border crisis between the two countries. Last week, Venezuelan President Nicolas Maduro ordered the closure of a key border crossing after smugglers injured three Venezuelan soldiers and a civilian. The president also ordered the deportation of Colombians who are in Venezuela illegally. Zlatica Hoke reports.
Video

Video Rebuilding New Orleans' Music Scene

Ten years after Hurricane Katrina inundated New Orleans, threatening to wash away its vibrant musical heritage along with its neighborhoods, the beat goes on. As Bronwyn Benito and Faith Lapidus report, a Musicians' Village is preserving the city's unique sound.
Video

Video In Russia, Auto Industry in Tailspin

Industry insiders say country relies too heavily on imports as inflation cuts too many consumers out of the market. Daniel Schearf has more from Moscow.
Video

Video Scientist Calls Use of Fetal Tissue in Medical Research Essential

An anti-abortion group responsible for secret recordings of workers at a women's health care organization claims the workers shown are offering baby parts for sale, a charge the organization strongly denies. While the selling of fetal tissue is against the law in the United States, abortion and the use of donated fetal tissue for medical research are both legal. VOA’s Julie Taboh reports.
Video

Video Next to Iran, Climate at Forefront of Obama Agenda

President Barack Obama this week announced new initiatives aimed at making it easier for Americans to access renewable energy sources such as solar and wind. Obama is not slowing down when it comes to pushing through climate change measures, an issue he says is the greatest threat to the country’s national security. VOA correspondent Aru Pande has more from the White House.
Video

Video Arctic Draws International Competition for Oil

A new geopolitical “Great Game” is underway in earth’s northernmost region, the Arctic, where Russia has claimed a large area for resource development and President Barack Obama recently approved Shell Oil Company’s test-drilling project in an area under U.S. control. Greg Flakus reports.
Video

Video Philippine Maritime Police: Chinese Fishermen a Threat to Country’s Security

China and the Philippines both claim maritime rights in the South China Sea.  That includes the right to fish in those waters. Jason Strother reports on how the Philippines is catching Chinese nationals it says are illegal poachers. He has the story from Palawan province.
Video

Video China's Spratly Island Building Said to Light Up the Night 'Like A City'

Southeast Asian countries claim China has illegally seized territory in the Spratly islands. It is especially a concern for a Philippine mayor who says Beijing is occupying parts of his municipality. Jason Strother reports from the capital of Palawan province, Puerto Princesa.
Video

Video Ages-old Ice Reveals Secrets of Climate Change

Ice caps don't just exist at the world's poles. There are also tropical ice caps, and the largest sits atop the Peruvian Andes - but it is melting, quickly, and may be gone within the next 20 years. George Putic reports scientists are now rushing to take samples to get at the valuable information about climate change locked in the ice.

VOA Blogs