News / USA

US Government Warns of Hack Threat to Network Gear

x
Reuters
The U.S. Department of Homeland Security urged computer users on Tuesday to disable a common networking technology feature, after researchers warned that hackers could exploit flaws to gain access to tens of millions of vulnerable devices.
       
The U.S. government's Computer Emergency Readiness Team, on its website, advised consumers and businesses to disable a feature known as Universal Plug and Play or UPnP, and some other related features that make devices from computers to printers accessible over the open Internet.
       
UPnP, a communications protocol, is designed to let networks identify and communicate with equipment, reducing the amount of work it takes to set up networks. Dave Marcus, chief architect of advanced research and threat intelligence with Intel's McAfee unit, said hackers would have a ``field day'' once the vulnerability in network devices is exposed.
       
"Historically, these are amongst the last to be updated and protected properly which makes them a gold mine for potential abuse and exploitation,'' said Marcus, who advises government agencies and corporations on protections against sophisticated attacks.
       
Disabling UPnP once networks have already been set up, will have little impact on the operation of the devices.
       
The new security bugs were initially brought to the attention of the government by computer security company Rapid7, in Boston, which released a report on the problem on Tuesday.

The company said it discovered between 40 million and 50 million devices that were vulnerable to attack due to three separate sets of problems that the firm's researchers have identified with the UPnP standard.
       
The flaws could allow hackers to access confidential files, steal passwords, take full control over PCs as well as remotely access devices such as webcams, printers and security systems, according to Rapid7.
    
Rapid7 has alerted electronics makers about the problem through the CERT Coordination Center, a group at the Carnegie Mellon Software Engineering Institute that helps researchers report vulnerabilities to affected companies.
      
"This is the most pervasive bug I've ever seen,'' said HD Moore, chief technology officer for Rapid7. He discussed the research with Reuters late on Monday.
       
CERT in turn has tried to contact the more than 200 companies whose products Rapid7 have identified as being vulnerable to attack, including Belkin, D-Link, Cisco Systems Inc's Linksys division and Netgear.

Linksys said it is aware of the problem. ``We recommend Linksys customers visit our website to understand if their home router is affected, and learn how to disable UPnP through the user interface to avoid being impacted,'' Linksys said in a statement.
       
Belkin, D-Link and Netgear did not respond to requests for comment.

Chris Wysopal, chief technology officer of security software firm Veracode, said he believed that publication of Rapid7's findings would draw widespread attention to the still emerging area of UPnP security, prompting other security researchers to search for more bugs in UPnP.
       
"This definitely falls into the scary category,'' said Wysopal, who reviewed Rapid7's findings ahead of their publication. "There is going to be a lot more research on this. And the follow-on research could be a lot scarier.''
       
Andres Andreu, chief architect at networking security company Bayshore Networks said they expect an increase in cybercrime as hackers begin to figure out ways to take advantage of the newly identified vulnerabilities.
       
"Simple targets such as home routers now become targets of greater interest,'' he said.

Taking Control
       
Moore said that there were bugs in most of the devices that Rapid7 tested and that device manufacturers will need to release software updates to remedy the problems.
       
He said that was unlikely to happen quickly.
       
In the meantime, he advised computer users to quickly use a free tool released by Rapid7 to identify vulnerable gear, then disable the UPnP functionality in that equipment.
       
Moore said hackers have not widely exploited the UPnP vulnerabilities to launch attacks, but both Moore and Wysopal expected they may start to do so after the findings are publicized.
       
Still, Moore said he decided to disclose the flaws in a bid to pressure equipment makers to fix the bugs and generally pay more attention to security.
       
People who own devices with UPnP enabled may not be aware of it because new routers, printers, media servers, Web cameras, storage drives and ``smart'' or Web-connected TVs are often shipped with that functionality turned on by default.
       
"You can't stay silent about something like this,'' he said. "These devices seem to have had the same level of core security for decades. Nobody seems to really care about them.''

Veracode's Wysopal said that some hackers have likely already exploited the flaws to launch attacks, but in relatively small numbers, choosing victims one at a time.
       
"If they are going after executives and government officials, then they will probably look for their home networks and exploit this vulnerability,'' he said.
       
Rapid7 has released a tool to help identify those devices on its website.

You May Like

Turkey: No Ransom Paid for Release of Hostages Held by IS Militants

President Erdogan hails release of hostages as diplomatic success but declines to be drawn on whether their release freed Ankara's hand to take more active stance against insurgents More

Audio Sierra Leone Ends Ebola Lockdown

Health ministry says it has reached 75 percent of its target of visiting 1.5 million homes to locate infected, educate population about virus More

US Pivot to Asia Demands Delicate Balancing Act

As tumult in Middle East distracts Obama administration, efforts to shift American focus eastward appear threatened More

Featured Videos

Your JavaScript is turned off or you have an old version of Adobe's Flash Player. Get the latest Flash player.
NASA’s MAVEN Probe Enters Mars Orbiti
X
September 22, 2014 9:20 PM
NASA’s newest Mars probe, called MAVEN, has successfully entered its designated orbit around the Red Planet. Scientists will use its sophisticated instruments to try to learn what happened to the atmosphere Mars had a few billion years ago. VOA’s George Putic has more.
Video

Video NASA’s MAVEN Probe Enters Mars Orbit

NASA’s newest Mars probe, called MAVEN, has successfully entered its designated orbit around the Red Planet. Scientists will use its sophisticated instruments to try to learn what happened to the atmosphere Mars had a few billion years ago. VOA’s George Putic has more.
Video

Video For West Ukraine City, Conflict Far Away Yet Near

The western Ukrainian city of Lviv prides itself on being both physically and culturally close to Western Europe. The Russian-backed separatists in the eastern part of the country are 1,200 kilometers away, and seemingly even farther away in their world view. Still, as VOA’s Al Pessin reports, the war is having an impact in Lviv.
Video

Video Saving Global Fish Stocks Starts in the Kitchen

With an estimated 90 percent of the world’s larger fish populations having already vanished, a growing number of people in the seafood industry are embracing the concept of sustainable fishing and farming practices. One American marine biologist turned restaurateur in Thailand is spreading the word among fellow chefs and customers. VOA Correspondent Steve Herman reports from Bangkok.
Video

Video Chinese Admiral Key in China’s Promotion of Sea Links

China’s President last week wrapped up landmark visits to India, Sri Lanka and Maldives, part of a broader campaign to promote a new “Maritime Silk Road” in Asia. The Chinese government’s promotion efforts rely heavily on the country’s best-known sailor, a 15th century eunuch named Zheng He. VOA's Bill Ide reports from the sailor’s hometown in Yunnan on the effort to promote China’s future by recalling its past.
Video

Video Experts Fear Ebola Outbreak ‘Beyond Our Capability to Contain’

Each day brings with it new warnings about the deadly Ebola outbreak already blamed for killing more than 2,600 people across West Africa. And while countries and international organizations like the United Nations are starting to come through on promises of help for those most affected, the unprecedented speed with which the virus has spread is raising questions about the international response. VOA's Jeff Seldin has more from Washington.
Video

Video Natural Gas Export Plan Divides Maryland Town

A U.S. power company that has been importing natural gas now wants to export it. If approved, its plant in Lusby, Maryland, would likely be the first terminal on the United States East Coast to export liquefied natural gas from American pipelines. While some residents welcome the move because it will create jobs, others oppose it, saying the expansion could be a safety and environmental hazard. VOA’s Deborah Block examines the controversy.
Video

Video Difficult Tactical Battle Ahead Against IS Militants in Syria

The U.S. president has ordered the military to intensify its fight against the Islamic State, including in Syria. But how does the military conduct air strikes in a country that is not a U.S. ally? VOA correspondent Carla Babb reports from the Pentagon.
Video

Video Iran, World Powers Seek Progress in Nuclear Talks

Iran and the five permanent members of the U.N. Security Council plus Germany, known as the P5 + 1, have started a new round of talks on Iran's nuclear program. VOA State Department correspondent Pam Dockins reports that as the negotiations take place in New York, a U.S. envoy is questioning Iran's commitment to peaceful nuclear activity.
Video

Video Migrants Caught in No-Man's Land Called Calais

The deaths of hundreds of migrants in the Mediterranean this week has only recast the spotlight on the perils of reaching Europe. And for those forunate enough to reach a place like Calais, France, only find that their problems aren't over. Lisa Bryant has the story.
Video

Video Westgate Siege Anniversary Brings Back Painful Memories

One year after it happened, the survivors of the terror attack on Nairobi's Westgate Shopping Mall still cannot shake the images of that tragic incident. For VOA, Mohammed Yusuf tells the story of victims still waiting for the answer to the question 'how could this happen?'
Video

Video Whaling Summit Votes to Uphold Ban on Japan Whale Hunt

The International Whaling Commission, meeting in Slovenia, has voted to uphold a court ruling banning Japan from hunting whales in the Antarctic Ocean. Conservationists hailed the ruling as a victory, but Tokyo says it will submit revised plans for a whale hunt in 2015. Henry Ridgwell reports from London.
Video

Video A Dinosaur Fit for Land and Water

Residents and tourists in Washington D.C. can now examine a life-size replica of an unusual dinosaur that lived almost a hundred million years ago in northern Africa. Scientists say studying the behemoth named Spinosaurus helps them better understand how some prehistoric animals adapted to life on land and in water. The Spinosaurus replica is on display at the National Geographic museum. VOA’s George Putic has more.
Colonel Steve ‘Spiros’ Pisanos left Greece and came to the U.S. to learn to fly. He flew fighters for the Allies in World War II, narrowly escaping death multiple times.Colonel Steve ‘Spiros’ Pisanos left Greece and came to the U.S. to learn to fly. He flew fighters for the Allies in World War II, narrowly escaping death multiple times.

AppleAndroid