News / USA

US Government Warns of Hack Threat to Network Gear

The U.S. Department of Homeland Security urged computer users on Tuesday to disable a common networking technology feature, after researchers warned that hackers could exploit flaws to gain access to tens of millions of vulnerable devices.
The U.S. government's Computer Emergency Readiness Team, on its website, advised consumers and businesses to disable a feature known as Universal Plug and Play or UPnP, and some other related features that make devices from computers to printers accessible over the open Internet.
UPnP, a communications protocol, is designed to let networks identify and communicate with equipment, reducing the amount of work it takes to set up networks. Dave Marcus, chief architect of advanced research and threat intelligence with Intel's McAfee unit, said hackers would have a ``field day'' once the vulnerability in network devices is exposed.
"Historically, these are amongst the last to be updated and protected properly which makes them a gold mine for potential abuse and exploitation,'' said Marcus, who advises government agencies and corporations on protections against sophisticated attacks.
Disabling UPnP once networks have already been set up, will have little impact on the operation of the devices.
The new security bugs were initially brought to the attention of the government by computer security company Rapid7, in Boston, which released a report on the problem on Tuesday.

The company said it discovered between 40 million and 50 million devices that were vulnerable to attack due to three separate sets of problems that the firm's researchers have identified with the UPnP standard.
The flaws could allow hackers to access confidential files, steal passwords, take full control over PCs as well as remotely access devices such as webcams, printers and security systems, according to Rapid7.
Rapid7 has alerted electronics makers about the problem through the CERT Coordination Center, a group at the Carnegie Mellon Software Engineering Institute that helps researchers report vulnerabilities to affected companies.
"This is the most pervasive bug I've ever seen,'' said HD Moore, chief technology officer for Rapid7. He discussed the research with Reuters late on Monday.
CERT in turn has tried to contact the more than 200 companies whose products Rapid7 have identified as being vulnerable to attack, including Belkin, D-Link, Cisco Systems Inc's Linksys division and Netgear.

Linksys said it is aware of the problem. ``We recommend Linksys customers visit our website to understand if their home router is affected, and learn how to disable UPnP through the user interface to avoid being impacted,'' Linksys said in a statement.
Belkin, D-Link and Netgear did not respond to requests for comment.

Chris Wysopal, chief technology officer of security software firm Veracode, said he believed that publication of Rapid7's findings would draw widespread attention to the still emerging area of UPnP security, prompting other security researchers to search for more bugs in UPnP.
"This definitely falls into the scary category,'' said Wysopal, who reviewed Rapid7's findings ahead of their publication. "There is going to be a lot more research on this. And the follow-on research could be a lot scarier.''
Andres Andreu, chief architect at networking security company Bayshore Networks said they expect an increase in cybercrime as hackers begin to figure out ways to take advantage of the newly identified vulnerabilities.
"Simple targets such as home routers now become targets of greater interest,'' he said.

Taking Control
Moore said that there were bugs in most of the devices that Rapid7 tested and that device manufacturers will need to release software updates to remedy the problems.
He said that was unlikely to happen quickly.
In the meantime, he advised computer users to quickly use a free tool released by Rapid7 to identify vulnerable gear, then disable the UPnP functionality in that equipment.
Moore said hackers have not widely exploited the UPnP vulnerabilities to launch attacks, but both Moore and Wysopal expected they may start to do so after the findings are publicized.
Still, Moore said he decided to disclose the flaws in a bid to pressure equipment makers to fix the bugs and generally pay more attention to security.
People who own devices with UPnP enabled may not be aware of it because new routers, printers, media servers, Web cameras, storage drives and ``smart'' or Web-connected TVs are often shipped with that functionality turned on by default.
"You can't stay silent about something like this,'' he said. "These devices seem to have had the same level of core security for decades. Nobody seems to really care about them.''

Veracode's Wysopal said that some hackers have likely already exploited the flaws to launch attacks, but in relatively small numbers, choosing victims one at a time.
"If they are going after executives and government officials, then they will probably look for their home networks and exploit this vulnerability,'' he said.
Rapid7 has released a tool to help identify those devices on its website.

You May Like

800-Pound Man Determined to Slim Down

Man says he was kicked out of hospital for ordering pizza; wants to be an actor More

Australia Prepares to Resettle 12,000 Syrian Refugees

Preference will be given to refugees from persecuted minorities, and the first group is expected to arrive before late December More

S. African Miners Seek Class Action Suit Against Gold Mines

The estimated 100,000 say say they contracted the lung diseases silicosis and tuberculosis in the mines More

Featured Videos

Your JavaScript is turned off or you have an old version of Adobe's Flash Player. Get the latest Flash player.
Amnesty Accuses Saudi Coalition of ‘War Crimes’ in Yemeni
Henry Ridgwell
October 12, 2015 4:03 PM
The human rights group Amnesty International has accused the Saudi-led coalition of war crimes in airstrikes against Houthi rebels in Yemen. Henry Ridgwell reports the group says hundreds of civilians have been killed in strikes on residential areas.

Video Amnesty Accuses Saudi Coalition of ‘War Crimes’ in Yemen

The human rights group Amnesty International has accused the Saudi-led coalition of war crimes in airstrikes against Houthi rebels in Yemen. Henry Ridgwell reports the group says hundreds of civilians have been killed in strikes on residential areas.

Video No Resolution in Sight to US House Speaker Drama

Uncertainty grips the U.S. Congress, where no consensus replacement has emerged to succeed Republican House Speaker John Boehner after his surprise resignation announcement. Half of Congress is effectively leaderless weeks before America risks defaulting on its national debt and enduring another partial government shutdown.

Video New Art Exhibit Focuses on Hope

Out of struggle and despair often comes hope. That idea is behind a new art exhibit at the American Visionary Art Museum in Baltimore, Maryland. "The Big Hope Show" features 25 artists, some of whom overcame trauma and loss. VOA’s Deborah Block reports.

Video Columbus Day Still Generates Controversy as US Holiday

The second Monday of October is Columbus Day in the United States, honoring explorer Christopher Columbus and his discovery of the Americas. The achievement is a source of pride for many, but for some the holiday is marked by controversy. Adrianna Zhang has more.

Video Anger Simmers as Turks Begin to Bury Blast Victims

The Turkish army carried out new air strikes on Kurdistan Workers Party (PKK) targets on Sunday, a day after the banned group announced a unilateral cease fire. The air raids apparently are in retaliation for the Saturday bombing in Turkey's capital Ankara that killed at least 95 people and wounded more than 200 others. But as Zlatica Hoke reports, there are suspicions that Islamic State is involved.

Video Bombings a Sign of Turkey’s Deep Troubles

Turkey has begun a three-day period of mourning following Saturday’s bomb attacks in the capital, Ankara, that killed nearly 100 people. With contentious parliamentary elections three weeks away, the attacks highlight the challenges Turkey is facing as it struggles with ethnic friction, an ongoing migrant crisis, and growing tensions with Russia. VOA Europe correspondent Luis Ramirez reports.

Video Afghanistan’s Progress Aided by US Academic Center

Recent combat in Afghanistan has shifted world attention back to the central Asian nation’s continuing civil war and economic challenges. But, while there are many vexing problems facing Afghanistan’s government and people, a group of academics in Omaha, Nebraska has kept a strong faith in the nation’s future through programs to improve education. VOA’s Greg Flakus has more from Omaha, Nebraska.

Video House Republicans in Chaos as Speaker Favorite Withdraws

The Republican widely expected to become the next speaker of the House of Representatives shocked his colleagues Thursday by announcing he was withdrawing his candidacy. The decision by Majority Leader Kevin McCarthy means the race to succeed retiring Speaker John Boehner is now wide open. VOA National Correspondent Jim Malone reports.

Video German, US Officials Investigate Volkswagen

German officials have taken steps to restore some of the reputation their car industry has lost after a recent Volkswagen diesel emissions scandal. Authorities have searched Volkswagen headquarters and other locations in an effort to identify the culprits in the creation of software that helps cheat on emission tests. Meanwhile, a group of lawmakers in Washington held a hearing to get to the bottom of the cheating strategy that was first discovered in the United States. Zlatica Hoke reports.

Video Why Are Gun Laws So Hard for Congress to Tackle?

Since taking office, President Barack Obama has spoken out or issued statements about 15 mass shootings. The most recent shooting, in which 10 people were killed at a community college, sparked outrage over the nation's gun laws. But changing those laws isn't as easy as many think. VOA's Carolyn Presutti reports.

Video In 'He Named Me Malala,' Guggenheim Finds Normal in Extraordinary

Davis Guggenheim’s documentary "He Named Me Malala" offers a probing look into the life of 18-year-old Malala Yousafsai, the Pakistani teenager who, in 2012, was shot in the head by the Taliban for standing up for her right to education in her hometown in Pakistan's Swat Valley. Guggenheim shows how, since then, Malala has become a symbol not as a victim of brutal violence, but as an advocate for girls’ education throughout the world. VOA’s Penelope Poulou has more.

Video Paintable Solar Cells May Someday Replace Silicon-Based Panels

Solar panels today are still factory-manufactured, with the use of some highly toxic substances such as cadmium chloride. But a researcher at St. Mary’s College, Maryland, says we are close to being able to create solar panels by painting them on a suitable surface, using nontoxic solutions. VOA’s George Putic reports.

VOA Blogs