A newly discovered exploit in a technology standard known as “universal plug and play” (UPnP) is big enough that hackers on the Internet could remotely access and control “millions” of compatible devices like cameras, printers and routers, security researchers said Tuesday.
Researchers working for the security firm Rapid7 said they found bugs in the UPnP standard that exposes personal devices to being remotely accessed and controlled. That means an enterprising hacker could, say, exploit the bug to print unwanted messages on a personal printer, or turn on a webcam unbeknownst to the owner.
A hole this large has likely already been exploited on a selective, individual basis, researchers warned, noting that something like 40 to 50 million network devices make use of UPnP.
Rapid7’s announcement was confirmed Tuesday night by the United States Computer Emergency Readiness Team (US-CERT), which warned that “hundreds of vendors” that supply network-enabled hardware rely upon UPnP, including major firms like Cisco’s Linksys, D-Link, Belkin and Netgear. The agency recommended those manufacturers begin immediately updating their software to close the vulnerability — a process which could take months.
“We recommend Linksys customers visit our website to understand if their home router is affected, and learn how to disable UPnP through the user interface to avoid being impacted,” a Cisco spokesperson told Forbes.
Rapid7 has also released a network scanning tool that should identify devices that are running UPnP and direct users to instructions to disable it. “Given the high level of exposure and potential impact of a successful attack, Rapid7 strongly recommends that UPnP be disabled” on any hardware currently running it, they advised.