Heartbleed is far from dead. 200,000+ vulnerable devices on the internet

HeartbleedRemember Heartbleed? Of course you do.

After all, it was the first serious security vulnerability to have a really cool logo.

The Heartbleed vulnerability was uncovered in April 2014, revealing a serious vulnerability in OpenSSL - the cryptographic software library which was supposed to keep information safe and secure, but instead could have helped hackers steal information such as passwords.

After all the hullabaloo about Heartbleed, and the action taken by many IT professionals in the wake of the Heartbleed announcement, you would like to think that almost 18 months later the problem has gone away.

But take a look at this map of Heartbleed-vulnerable devices around the world.

Heartbleed map

The map was tweeted earlier today by John Matherly, the founder of Shodan, a search engine for the internet of things.

Unlike a regular search engine like Google or Yahoo, Shodan doesn't search for words. Instead, it searches for the technical characteristics of devices attached to the net - including devices that traditional search engines are likely to ignore.

The Shodan search engine makes it simple for anyone to search the internet for anything which might be connected - whether it be a web server, a webcam, baby monitors, routers, a traffic lights, home heating systems or a SCADA industrial control system.

And the use of filters can even allow you to hone down your search to specific parts of the world.

Of course, if these internet-connected devices haven't been properly secured (perhaps they have weak default passwords, or contain security holes that can be exploited) then Shodan may have just helped a malicious attacker identify a potential target.

However, as with many things in the world of computer security, there's another side of the coin. IT teams can use tools like Shodan to help them check their company's security, testing with various filters to determine if web servers - for instance - are running a particular version of Apache, or if devices which shouldn't be visible to the outside world are revealing their existence online.

Clearly, some manufacturers and IT teams have dropped the ball, and failed to update vulnerable systems

My bet is that there will always be devices attached to the internet which are vulnerable to Heartbleed.

Tags: , , , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Listen now

Subscribe to the free GCHQ newsletter

, , , ,

3 Responses

  1. coyote

    September 15, 2015 at 5:45 pm #

    "My bet is that there will always be devices attached to the internet which are vulnerable to Heartbleed."

    Just like Linux boxen running kernel <= 2.4, and just like Windows 9x and other Windows that have long (or recently) past their EOL. Also, using TELNET for remote system login instead of ssh (or encrypted TELNET via a tunnel or specific telopt commands/etc. – the latter of which is rare to say the least). And just like using the r* services that you can use to root (or get shell access which can then lead to root) a box without a password, and the list goes on – ad infinitum.

    It is a scary thing but many administrators simply do not care. I refuse to believe some of these are from ignorance because they are so old that they could not have missed it this long. Even newer products part of the 'IoT' include some of these problems and that is pure negligence. It is madness but it fits in this world quite well, unfortunate as it is.

  2. David L

    September 15, 2015 at 6:03 pm #

    This issue only highlights a larger problem. That being incomplete mitigation efforts. Many people don't patch or upgrade for a multitude of reasons,but the lack of information after the initial blitze of media reports will lead many to believe that all is well again. At least the infosec community has made good progress on getting the information into the mainstream , but sadly, you can not make the people take action. As one friend of mine said, "sometimes,stupid has to pay"!

    • coyote in reply to David L.

      September 15, 2015 at 11:22 pm #

      "but the lack of information after the initial blitze of media reports will lead many to believe that all is well again."

      That is because many assume things much more than they would like to believe. The news is about the exploit itself – not any attacks because of it (although this happens initially you cannot expect it to continue; if it did it would be much harder to keep track of everything including new risks). This is how it goes with everything in this world; things (except perhaps governments and a few other inept things/entities) tend to evolve and progress. This is ideal (living in the past is unhealthy).

Leave a Reply