Homeland Security: Disable UPnP as tens of millions at risk

The US government is warning to disable a common networking feature after bugs left tens of millions of hardware devices vulnerable to attacks by hackers and malware.
Written by Zack Whittaker, Contributor

The US Department of Homeland Security is next in line to warn of a serious threat to networking devices, such as scanners, printers, computers, and routers.

(Credit: US Department of Homeland Security)

It comes only a few hours after a white paper was released by security researchers at Rapid7, which claimed that approximately 40 to 50 million devices worldwide are vulnerable to infiltration by hackers as a result of a flaw in a networking protocol.

UPnP, or Universal Plug and Play, allows devices that connect to networks to communicate seamlessly with one another and discover each other's presence. Devices can then connect over a network to share files, print documents, and access other shared resources.

But now, Homeland Security is concerned that the vulnerability could impact millions of machines, and warns users to update their software or disable UPnP altogether.

The trouble is for many, operating system makers--such as Apple and Microsoft--must create hotfixes or patches. The researchers already noted that over 1,500 vendors and 6,900 products identified were vulnerable to at least one of the flaws, including from vendors such as Belkin, D-Link, Linksys, and Netgear. 

"Multiple vulnerabilities have been announced in libupnp, the open source portable SDK for UPnP devices. Libupnp is employed by hundreds of vendors for UPnP-enabled devices," the US Computer Emergency Readiness Team (US-CERT) said in a note published today.

"US-CERT recommends that affected UPnP device vendors and developers obtain and employ libupnp version 1.6.18, which addresses these vulnerabilities."

It is understood from Rapid7's findings that there are numerous bugs with the protocol, which could ultimately put at risk tens of millions of networked devices--especially those connected directly to the Internet.

It then warns to "disable UPnP (if possible)", along with restricting networking protocols and ports, including Simple Service Discovery Protocol (SSDP) and Simple Object Access Protocol (SOPA SOAP) services from untrusted networks, including the Internet.

The risk is that hackers could "execute arbitrary code on the device or cause a denial of service," or in other words: install malware on your computer and/or run it as part of a botnet.

Along with this, hackers could access confidential documents, steal usernames and passwords, take over PCs, and remotely access networked devices, such as webcams, printers, televisions, security systems, and other devices plugged in or wirelessly connected to networks.

Most networking devices use UPnP, including computers running Windows, Apple's OS X, and Linux. Many mobile devices also use UPnP to print to wireless or networked printers.

It's rare for the US government to actively warn to disable software or a feature. That said, it comes only a fortnight after Homeland Security actively warned users to disable Java software as a serious vulnerability was found that could have allowed hackers or malware writers to remotely execute code if a rigged Web site was visited.

Editorial standards