US Government: disable Universal Plug and Play on routers due to hacker threat

If you have a router on your home PC or at work and you are using its Universal Plug and Play (UPnP) feature, the US Government wants you to disable it ASAP. The US Department of Homeland Security issued a statement today that urged individuals and businesses to disable these features from router units due to the threat of hacker attacks.

Reuters reports that the statement followed a report from the security firm Rapid7, which claimed that there are three issues with the UPnP standard that could be used by hackers for attacks that range from taking files from PCs, to taking full control of them and using them to access devices such as webcams, printers and more. The report claims that between 40 million and 50 million units that use the UPnP standard are open to these issues.

Companies that sells such routers such as Belkin, D-Link and others will have to issue security patches to fix the holes that were discovered by Rapid7. So far, there's no word on when these patches will be issued. However, Rapid7 points out on their website that there are a number of older routers that are still being used that are likely never to be updated. In those cases, the only real alternative is to simply buy a new router that is not affected by this UPnP issue.

Source: Reuters
Internet security image via Shutterstock

Report a problem with article
Previous Story

Google rumored to launch paid YouTube channels this spring

Next Story

Microsoft launches Office 365 giveaway with a choice of 'services' to make your life easier

45 Comments

View more comments

abecedarian paradoxious said,
And the "ScanNow" tool for Windows, which they recommend you use to scan for the issues, requires registration to use. Sorry but no. That is Phishing.

What I thought too

freak180 said,
Ironic how you could of ignored my so called childish comment.

That is not irony, and grammar is not about phonetics. Come back when you learn the difference between 'of' and the contracted form of 'have'.

Forgive me for the Deva-Vu, but don't I recall this exact same warning a few years ago from the US Government?

I've always disabled UPnP fortunately.

warwagon said,
Well.... no ****! People have been saying that for YEARS!

Sure, but now that the government is saying it, it isn't true anymore.

Don't you understand how the internet circlejerk works?

I aws going to say the same thing, UPnP has been a known weakness for so many years it should already be disabled really.

As far as I was aware, with uPNP, you need access to the network first. And any company allowing such access to the network is a security risk, no matter if uPNP is enabled or not.

No problem for me as my openwrt build never includes UPnP. For openwrt users, unless you have specifically installed it (miniupnp I think), you're safe since the default setting excludes the UPnP feature due to security reasons.

Article said,
attacks that range from taking files from PCs, to taking full control of them and using them to access devices such as webcams, printers and more.

Thats because you leave such services ports open.

People need return to the deprecated non-routable NETBEUI protocols,
and disable the easy-ly routeable "NETBIOS over TCP/IP".

Even though I disabled UPnP on my router, I thought I'd go and try the detection tool that Rapid7 developed to scan for the vulnerability...

Imagine my surprise when I discovered the tool won't run unless you have Java 1.6.0 or better installed!!! I guess they didn't get the memo about how utterly riddled with security holes that Java is! I would not trust a "security" company using one of the least secure and most widely used in attacks programming language in the world!

-=MagMan=- said,
Even though I disabled UPnP on my router, I thought I'd go and try the detection tool that Rapid7 developed to scan for the vulnerability...

Imagine my surprise when I discovered the tool won't run unless you have Java 1.6.0 or better installed!!! I guess they didn't get the memo about how utterly riddled with security holes that Java is! I would not trust a "security" company using one of the least secure and most widely used in attacks programming language in the world!

The security issues for Java are in the JRE not the language itself... Removing Java from your web browser should garner you the same relative attack surface as removing it

Commenting is disabled on this article.