[LINK] security issue on routers (and other devices?)

Jan Whitaker jwhit at janwhitaker.com
Tue Jan 29 22:51:50 AEDT 2013 

[I disabled this on my netgear ADSL modem/router to be on the safe(r) 
side -- not sure what it means will happen now that I have. I already 
have wifi access locked down to requiring an explicit MAC address, 
but this sounds like a different issue.]


'This definitely falls into the scary category': researchers warn of 
50 million exposed devices

Jim Finkle
Published: January 29, 2013 - 10:39PM

Bugs in widely used networking technology expose tens of millions of 
personal computers, printers and storage drives to attack by hackers 
over the regular internet, researchers with a security software maker said.

The problem lies in computer routers and other networking equipment 
that use a commonly employed standard known as Universal Plug and 
Play or UPnP. UPnP makes it easy for networks to identify and 
communicate with equipment, reducing the amount of work it takes to 
set up networks.

Security software maker <http://www.rapid7.com>Rapid7 said in a white 
paper to be released on Tuesday in the US that it discovered between 
40 million and 50 million devices that were vulnerable to attack due 
to three separate sets of problems that the firm's researchers have 
identified with the UPnP standard.

The long list of devices includes products from manufacturers 
including Belkin, D-Link, Cisco's Linksys division and Netgear.

Representatives for Belkin, D-Link, Linksys and Netgear could not be 
reached for comment on Monday evening US time.

Chris Wysopal, chief technology officer of security software firm 
Veracode, said he believed that publication of Rapid7's findings 
would draw widespread attention to the still emerging area of UPnP 
security, prompting other security researchers to search for more bugs in UPnP.

"This definitely falls into the scary category," said Wysopal, who 
reviewed Rapid7's findings ahead of their publication. "There is 
going to be a lot more research on this. And the follow-on research 
could be a lot scarier."

Rapid7 has privately alerted electronics makers about the problem 
through the CERT Coordination Centre, a group at the Carnegie Mellon 
Software Engineering Institute that helps researchers report 
vulnerabilities to affected companies.

"This is the most pervasive bug I've ever seen," said HD Moore, chief 
technology officer for Rapid7. He discussed the research with Reuters 
late on Monday US time.

Moore, who created a widely used platform known as Metasploit that 
allows security experts to simulate network attacks, said that he 
expected CERT to release a public warning about the flaw on Tuesday. 
A spokesman for the CERT Coordination Centre declined to comment.

A source with a networking equipment maker confirmed they had been 
alerted that CERT would issue an advisory on Tuesday and that 
companies were preparing to respond.

Taking control

The flaws could allow hackers to access confidential files, steal 
passwords, take full control over PCs as well as remotely access 
devices such as webcams, printers and security systems, according to Rapid7.

Moore said that there were bugs in most of the devices he tested and 
that device manufacturers will need to release software updates to 
remedy the problems.

He said that is unlikely to happen quickly.

In the meantime, he advised computer users to quickly use a free tool 
released by Rapid7 to identify vulnerable gear, then disable the UPnP 
functionality in that equipment.

Moore said hackers have not widely exploited the UPnP vulnerabilities 
to launch attacks, but both Moore and Wysopal expected they may start 
to do so after the findings are publicized.

Still, Moore said he decided to disclose the flaws in a bid to 
pressure equipment makers to fix the bugs and generally pay more 
attention to security.

People who own devices with UPnP enabled may not be aware of it 
because new routers, printers, media servers, web cameras, storage 
drives and "smart" or web-connected TVs are often shipped with that 
functionality turned on by default.

"You can't stay silent about something like this," he said. "These 
devices seem to have had the same level of core security for decades. 
Nobody seems to really care about them."

Veracode's Wysopal said that some hackers have likely already 
exploited the flaws to launch attacks, but in relatively small 
numbers, choosing victims one at a time.

"If they are going after executives and government officials, then 
they will probably look for their home networks and exploit this 
vulnerability," he said.

Rapid7 is advising businesses and consumers alike to disable UPnP in 
devices that they suspect may be vulnerable to attack. The firm has 
released a tool to help identify those devices 
<http://www.rapid7.com/resources/free-security-software-downloads/universal-plug-and-play-jan-2013.jsp>on 
its website.

Reuters
    * <http://twitter.com/itpro_au>Follow IT Pro on Twitter

This story was found at: 
http://www.theage.com.au/it-pro/security-it/this-definitely-falls-into-the-scary-category-researchers-warn-of-50-million-exposed-devices-20130129-2djav.html 




Melbourne, Victoria, Australia
jwhit at janwhitaker.com
blog: http://janwhitaker.com/jansblog/
business: http://www.janwhitaker.com

Our truest response to the irrationality of the world is to paint or 
sing or write, for only in such response do we find truth.
~Madeline L'Engle, writer

_ __________________ _

More information about the Link mailing list