News / USA

US Government Warns of Hack Threat to Network Gear

x
Reuters
The U.S. Department of Homeland Security urged computer users on Tuesday to disable a common networking technology feature, after researchers warned that hackers could exploit flaws to gain access to tens of millions of vulnerable devices.
       
The U.S. government's Computer Emergency Readiness Team, on its website, advised consumers and businesses to disable a feature known as Universal Plug and Play or UPnP, and some other related features that make devices from computers to printers accessible over the open Internet.
       
UPnP, a communications protocol, is designed to let networks identify and communicate with equipment, reducing the amount of work it takes to set up networks. Dave Marcus, chief architect of advanced research and threat intelligence with Intel's McAfee unit, said hackers would have a ``field day'' once the vulnerability in network devices is exposed.
       
"Historically, these are amongst the last to be updated and protected properly which makes them a gold mine for potential abuse and exploitation,'' said Marcus, who advises government agencies and corporations on protections against sophisticated attacks.
       
Disabling UPnP once networks have already been set up, will have little impact on the operation of the devices.
       
The new security bugs were initially brought to the attention of the government by computer security company Rapid7, in Boston, which released a report on the problem on Tuesday.

The company said it discovered between 40 million and 50 million devices that were vulnerable to attack due to three separate sets of problems that the firm's researchers have identified with the UPnP standard.
       
The flaws could allow hackers to access confidential files, steal passwords, take full control over PCs as well as remotely access devices such as webcams, printers and security systems, according to Rapid7.
    
Rapid7 has alerted electronics makers about the problem through the CERT Coordination Center, a group at the Carnegie Mellon Software Engineering Institute that helps researchers report vulnerabilities to affected companies.
      
"This is the most pervasive bug I've ever seen,'' said HD Moore, chief technology officer for Rapid7. He discussed the research with Reuters late on Monday.
       
CERT in turn has tried to contact the more than 200 companies whose products Rapid7 have identified as being vulnerable to attack, including Belkin, D-Link, Cisco Systems Inc's Linksys division and Netgear.

Linksys said it is aware of the problem. ``We recommend Linksys customers visit our website to understand if their home router is affected, and learn how to disable UPnP through the user interface to avoid being impacted,'' Linksys said in a statement.
       
Belkin, D-Link and Netgear did not respond to requests for comment.

Chris Wysopal, chief technology officer of security software firm Veracode, said he believed that publication of Rapid7's findings would draw widespread attention to the still emerging area of UPnP security, prompting other security researchers to search for more bugs in UPnP.
       
"This definitely falls into the scary category,'' said Wysopal, who reviewed Rapid7's findings ahead of their publication. "There is going to be a lot more research on this. And the follow-on research could be a lot scarier.''
       
Andres Andreu, chief architect at networking security company Bayshore Networks said they expect an increase in cybercrime as hackers begin to figure out ways to take advantage of the newly identified vulnerabilities.
       
"Simple targets such as home routers now become targets of greater interest,'' he said.

Taking Control
       
Moore said that there were bugs in most of the devices that Rapid7 tested and that device manufacturers will need to release software updates to remedy the problems.
       
He said that was unlikely to happen quickly.
       
In the meantime, he advised computer users to quickly use a free tool released by Rapid7 to identify vulnerable gear, then disable the UPnP functionality in that equipment.
       
Moore said hackers have not widely exploited the UPnP vulnerabilities to launch attacks, but both Moore and Wysopal expected they may start to do so after the findings are publicized.
       
Still, Moore said he decided to disclose the flaws in a bid to pressure equipment makers to fix the bugs and generally pay more attention to security.
       
People who own devices with UPnP enabled may not be aware of it because new routers, printers, media servers, Web cameras, storage drives and ``smart'' or Web-connected TVs are often shipped with that functionality turned on by default.
       
"You can't stay silent about something like this,'' he said. "These devices seem to have had the same level of core security for decades. Nobody seems to really care about them.''

Veracode's Wysopal said that some hackers have likely already exploited the flaws to launch attacks, but in relatively small numbers, choosing victims one at a time.
       
"If they are going after executives and government officials, then they will probably look for their home networks and exploit this vulnerability,'' he said.
       
Rapid7 has released a tool to help identify those devices on its website.

You May Like

FIFA Indictments Put Gold Cup Tournament Under Cloud

Experts say US indictments could lead to charges of other world soccer officials, and lead to major shakeup in sport's governance More

Video Seoul Sponsors Korean Unification Fair

At a recent even in Seoul, border communities promoted benefits of increased cooperation and North Korean defectors shared stories of life since the war More

Video VOA EXCLUSIVE: Iraq President Vows to Fight IS 'Until They Are Killed or We Die'

In wide-ranging interview with VOA Persian service reporter, Fuad Masum describes conflict as new type of fight that will take time to win More

Featured Videos

Your JavaScript is turned off or you have an old version of Adobe's Flash Player. Get the latest Flash player.
Expelled from Pakistan, Afghan Refugees Return to Increased Hardshipi
X
Ayesha Tanzeem
May 28, 2015 6:48 PM
Undocumented refugees returning to Afghanistan from Pakistan have no jobs, no support system, and no home return to, and international aid agencies say they and the government are overwhelmed and under-resourced. Ayesha Tanzeem has more from Kabul.
Video

Video Expelled from Pakistan, Afghan Refugees Return to Increased Hardship

Undocumented refugees returning to Afghanistan from Pakistan have no jobs, no support system, and no home return to, and international aid agencies say they and the government are overwhelmed and under-resourced. Ayesha Tanzeem has more from Kabul.
Video

Video Britain Makes Controversial Move to Crack Down on Extremism

Britain is moving to tighten controls on extremist rhetoric, even when it does not incite violence or hatred -- a move that some are concerned might unduly restrict basic freedoms. It is an issue many countries are grappling with as extremist groups gain power in the Middle East, fueled in part by donations and fighters from the West. VOA’s Al Pessin reports from London.
Video

Video Floodwaters Recede in Houston, but Rain Continues

Many parts of Texas are recovering from one of the worst natural disasters to hit the southwestern state. Heavy rains on Monday and early Tuesday caused rivers to swell in eastern and central Texas, washing away homes and killing at least 13 people. As VOA’s Greg Flakus reports from Houston, floodwaters are receding slowly in the country's fourth-largest city, and there likely is to be more rain in the coming days.
Video

Video 3D Printer Makes Replica of Iconic Sports Car

Cars with parts made by 3D printers are already on the road, but engineers are still learning about this new technology. While testing the possibility of printing an entire car, researchers at the U.S. Department of Energy recently created an electric-powered replica of an iconic sports roadster. VOA’s George Putic has more.
Video

Video Al-Shabab Recruitment Drive Still on In Kenya

The al-Shabab militants that have long battled for control of Somalia also have recruited thousands of young people in Kenya, leaving many families disconsolate. Mohammed Yusuf recently visited the Kenyan town of Isiolo, and met with relatives of those recruited, as well as a many who have helped with the recruiting.
Video

Video US Voters Seek Answers From Presidential Candidates on IS Gains

The growth of the Islamic State militant group in Iraq and Syria comes as the 2016 U.S. presidential campaign kicks off in the Midwest state of Iowa.   As VOA’s Kane Farabaugh reports, voters want to know how the candidates would handle recent militant gains in the Middle East.
Video

Video A Small Oasis on Kabul's Outskirts Provides Relief From Security Tensions

When people in Kabul want to get away from the city and relax, many choose Qargha Lake, a small resort on the outskirts of Kabul. Ayesha Tanzeem visited and talked with people about the precious oasis.
Video

Video Film Festival Looks at Indigenous Peoples, Culture Conflict

A recent Los Angeles film festival highlighted the plight of people caught between two cultures. Mike O'Sullivan has more on the the Garifuna International Film Festival, a Los Angeles forum created by a woman from Central America who wants the world to know more about her culture.
Video

Video Kenyans Lament Losing Sons to al-Shabab

There is agony, fear and lost hope in the Kenyan town of Isiolo, a key target of a new al-Shabab recruitment drive. VOA's Mohammed Yusuf visits Isiolo to speak with families and at least one man who says he was a recruiter.
Video

Video Scientists Say Plankton More Important Than Previously Thought

Tiny ocean creatures called plankton are mostly thought of as food for whales and other large marine animals, but a four-year global study discovered, among other things, that plankton are a major source of oxygen on our planet. VOA’s George Putic reports.
Video

Video Kenya’s Capital Sees Rise in Shisha Parlors

In Kenya, the smoking of shisha, a type of flavored tobacco, is the latest craze. Patrons are flocking to shisha parlors to smoke and socialize. But the practice can be addictive and harmful, though many dabblers may not realize the dangers, according to a new review. Lenny Ruvaga has more on the story for VOA from Nairobi, Kenya.
Video

Video Iowa Family's Sacrifice Shaped US Military Service for Generations

Few places in America have experienced war like Waterloo. This small town in the Midwest state of Iowa became famous during World War II not for what it accomplished, but what it lost. As VOA’s Kane Farabaugh reports, the legacy of one family’s sacrifice is still a reminder today of the real cost of war for all families on the homefront.

VOA Blogs