Security experts are advising that a networking feature known as Universal Plug and Play be disabled on routers, printers, and cameras, after finding it makes tens of millions of Internet-connected devices vulnerable to serious attack.

UPnP, as the feature is often abbreviated, is designed to make it easy for computers to connect to Internet gear by providing code that helps devices automatically discover each other over a local network. That often eliminates the hassle of figuring out how to configure devices the first time they're connected. But UPnP can also make life easier for attackers half a world away who want to compromise a home computer or breach a business network, according to a white paper published Tuesday by researchers from security firm Rapid7.

Over a five-and-a-half-month period last year, the researchers scanned every routable IPv4 address about once a week. They identified 81 million unique addresses that responded to standard UPnP discovery requests, even though the standard isn't supposed to communicate with devices that are outside a local network. Further scans revealed 17 million addresses exposed UPnP services built on the open standard known as SOAP, short for simple object access protocol. By broadcasting the service to the Internet at large, the devices can make it possible for attackers to bypass firewall protections.

"Unfortunately, the realities of the consumer electronics industry will leave most systems vulnerable for the indefinite future," the Rapid7 white paper warned. "For this reason, Rapid7 strongly recommends disabling UPnP on all Internet-facing systems and replacing systems that do not provide the ability to disable this protocol."

In all, Rapid7 identified 6,900 products sold by 1,500 separate vendors that contained at least one UPnP vulnerability. Rapid7 CTO HD Moore told Ars home networks that connect UPnP-enabled devices are generally safe as long as the firewall included in the Internet-facing router is enabled and working properly. The problem is that many routers include vulnerable implementations of UPnP, in which case they provide an easy way for attackers to get around that protection.

"The main message for consumers is make sure your router is locked down," Moore said.

The wider range of devices in business networks and their increased susceptibility to attacks from insiders makes enterprises more vulnerable, he added. A few hours after the white paper was released, Moore said, his team discovered a popular device that modified firewalls to allow outside connections to the port it was running on. Rapid7 has released a free scanner for Windows users that identifies vulnerable network devices. Users of non-Windows computers can access the open-source Metasploit software framework to do the same thing.

The Rapid7 white paper came the same day Cisco Systems announced a fix for a vulnerability in a UPnP software development kit.