The U.S. government has released a security advisory about critical flaws in Universal Plug and Play (UPnP), a networking protocol used by tens of millions of routers, computer printers, storage drives, smart TVs and other devices commonly found in homes and offices.
The flaws could let outside attackers invade your home or business network and cause havoc. Dozens of device manufacturers, including Cisco/Linksys, Netgear, Sony, Siemens and Belkin, have been notified, but few, if any, have rolled out patches yet.
US-CERT, the United States Computer Emergency Readiness Team, advises all users to manually disable UPnP in their devices' administrative settings. Users will have to refer to their owners' manuals or to manufacturers' websites to learn how.
For enterprises with skilled IT personnel, a patch to the UPnP protocol that fixes the flaws is available here.
The flaws were publicly disclosed yesterday (Jan. 29) by Rapid7, a Boston-based network-security-testing company. In a research paper, Rapid7 said it found 40 million to 50 million vulnerable devices that were accessible from the Internet.
Rapid7 expects that most of the vulnerable printers, routers and other devices that are still in production will eventually receive updates.
But, warned Rapid7 Chief Security Officer HD Moore, that will leave tens of millions of older devices out in the cold.
"In most cases, network equipment that is 'no longer shipping' will not be updated at all, exposing these users to remote compromise until UPnP is disabled or the product is swapped for something new," Moore said in a company blog posting.
Rapid7 has released a tool for Windows users to scan their networks for vulnerabilities.
UPnP was designed to let network-accessible devices easily connect to computers and to each other, but it was not intended to be used outside a closed, firewalled network.
