Massive security hole lets hackers control millions of cameras, printers and routers

By Stephen C. Webster
Wednesday, January 30, 2013 15:35 EDT
google plus icon
A man hacks into a computer. Photo: Shutterstock.com.
  • Print Friendly and PDF
  • Email this page

A newly discovered exploit in a technology standard known as “universal plug and play” (UPnP) is big enough that hackers on the Internet could remotely access and control “millions” of compatible devices like cameras, printers and routers, security researchers said Tuesday.

Researchers working for the security firm Rapid7 said they found bugs in the UPnP standard that exposes personal devices to being remotely accessed and controlled. That means an enterprising hacker could, say, exploit the bug to print unwanted messages on a personal printer, or turn on a webcam unbeknownst to the owner.

A hole this large has likely already been exploited on a selective, individual basis, researchers warned, noting that something like 40 to 50 million network devices make use of UPnP.

Rapid7′s announcement was confirmed Tuesday night by the United States Computer Emergency Readiness Team (US-CERT), which warned that “hundreds of vendors” that supply network-enabled hardware rely upon UPnP, including major firms like Cisco’s Linksys, D-Link, Belkin and Netgear. The agency recommended those manufacturers begin immediately updating their software to close the vulnerability — a process which could take months.

“We recommend Linksys customers visit our website to understand if their home router is affected, and learn how to disable UPnP through the user interface to avoid being impacted,” a Cisco spokesperson told Forbes.

Rapid7 has also released a network scanning tool that should identify devices that are running UPnP and direct users to instructions to disable it. “Given the high level of exposure and potential impact of a successful attack, Rapid7 strongly recommends that UPnP be disabled” on any hardware currently running it, they advised.

Photo: Shutterstock.com.

Stephen C. Webster
Stephen C. Webster
Stephen C. Webster is the senior editor of Raw Story, and is based out of Austin, Texas. He previously worked as the associate editor of The Lone Star Iconoclast in Crawford, Texas, where he covered state politics and the peace movement’s resurgence at the start of the Iraq war. Webster has also contributed to publications such as True/Slant, Austin Monthly, The Dallas Business Journal, The Dallas Morning News, Fort Worth Weekly, The News Connection and others. Follow him on Twitter at @StephenCWebster.
By commenting, you agree to our terms of service
and to abide by our commenting policy.