Homeland Security: Disable UPnP, as tens of millions at risk
Summary: The U.S. government is warning to disable a common networking feature after bugs have left tens of millions of hardware devices vulnerable to attacks by hackers and malware.


By Zack Whittaker for Zero Day | January 29, 2013 -- 21:03 GMT

The U.S. Department of Homeland Security is next in line to warn of a serious threat to networking devices, such as scanners and printers, computers and routers.
It comes only a few hours after a white paper was released by security researchers at Rapid7, which claimed that approximately 40 to 50 million devices worldwide are vulnerable to infiltration by hackers as a result of a flaw in a networking protocol.
UPnP, or Universal Plug and Play, allows devices that connect to networks, to communicate seamlessly with one another and discover each other's presence. Devices can then connect over a network to share files, print documents, and access other shared resources.
But now Homeland Security is concerned that the vulnerability could impact millions of machines, and warns users to update their software or disable UPnP altogether.

The trouble is for many, operating system makers—such as Apple and Microsoft—must create hotfixes or patches. The researchers already noted that over 1,500 vendors and 6,900 products identified were vulnerable to at least one of the flaws, including from vendors such as Belkin, D-Link, Linksys, and Netgear.
"Multiple vulnerabilities have been announced in libupnp, the open source portable SDK for UPnP devices. Libupnp is employed by hundreds of vendors for UPnP-enabled devices," the U.S. Computer Emergency Readiness Team (US-CERT) said in a note published today.
"US-CERT recommends that affected UPnP device vendors and developers obtain and employ libupnp version 1.6.18, which addresses these vulnerabilities."

It is understood from Rapid7's findings that there are numerous bugs with the protocol, which could ultimately put at risk tens of millions of networked devices—especially those connected directly to the Internet.
It then warns to "disable UPnP (if possible)," along with restricting networking protocols and ports, including Simple Service Discovery Protocol (SSDP) and Simple Object Access Protocol (SOPA) services from untrusted networks, including the Internet.
The risk is that hackers could "execute arbitrary code on the device or cause a denial of service," or in other words: install malware on your computer and/or run it as part of a botnet.
Along with this, hackers could access confidential documents, steal usernames and passwords, take over PCs, and remotely access networked devices, such as webcams, printers, televisions, security systems, and other devices plugged in or wireless connected to networks.
Most networking devices in fact use UPnP, including computers running Windows, Apple's OS X, and Linux. Many mobile devices also use UPnP to print to wireless or networked printers.

It's rare for the U.S. government to actively warn to disable software or a feature. That said, it comes only a fortnight after Homeland Security actively warned users to disable Java software, after a serious vulnerability was found that could have allowed hackers or malware writers to remotely execute code, if a rigged Web site was visited.

Gibson research has had a thing about UPnP on it's site for years

I went to the Gibson site to do a Shields Up test and with the exception of the ping test it passed. Does anyone know how I can stop my machine responding to Pings?

As a mac user Java is not installed on Lion and Mountain Lion OSes. So that is one threat dealt with, but this other threat seems a lot more complex for the average user to deal with. What they needed to do was have a website where you entered your device and it would tell you if you were at risk.

If you need to run Photoshop (certainly CS3), you need to install Java. I’ve not got it as a browser plugin though.

You need to set that on your router if you're testing your external address

But what do I need to look out for and change. I cannot see where it says ping.

There is sometimes an entry called "ICMP echo response" on a firewall or security page, although on my Netgear it's just called ping and it's on the WAN page.

had UPnP disabled on any router or system that i have used (if it was enabled)
after the heads up from Mr Gibson years ago
this man most certainly knows security ...