Three and a half weeks later and Heartbleed persists.
You may have thought the Heartbleed bug was behind us. Many companies were proactive about putting fixes in place. But new reports suggest that the risk of Heartbleed extends beyond computers, laptops, and tablets. The Internet of Things is awash in devices vulnerable to the Heartbleed bug. It may be some time before a security patch is created to address the myriad devices that could be prone to an attack.
Wired reports that devices still vulnerable to a Heartbleed attack are numerous. Some devices that still could be hacked are My Cloud storage devices, routers, printers, storage servers, firewalls and video cameras. That same report notes that the maker of a room thermostat also admitted that its devices were using the corrupted version of OpenSSL that was vulnerable to attack.
And there still could be tens of thousands of devices part of the Internet of Things that may be vulnerable to a Heartbleed attack. These devices could potentially be corrupted and used to hack your computers and steal sensitive information. The good news is that University of Michigan researchers told Wired recently many of these devices are using a version of OpenSSL that is not vulnerable to an attack.
University of Michigan Ph.D. student Zakir Durumeric told Wired:
“This vulnerability is only present if your device is accepting Heartbeat messages. And what we’ve found is that many devices on the Internet do not accept heartbeat messages.”
Still, that doesn’t exclude all devices. For example, HP announced shortly after the announcement of Heartbleed bug that some of its products were being investigated for vulnerabilities as well. The company said in a statement posted to the HP website that some of its devices use OpenSSL software. This could potentially make them vulnerable to a Heartbleed attack.
HP is telling its customers to sign up for security alerts from the company until it fully investigates risks to its products:
“With regard to addressing the potential impact of the recently identified “Heartbleed” OpenSSL vulnerability, HP is closely examining our systems and sites for the vulnerability and performing remediation as needed to ensure this vulnerability is not exploited.”
When news of the Heartbleed bug first came out three or four weeks ago, site owners were advised to reinstall the SSL certificate on their sites. It was a flaw in some of these certificates, generally used on sites that handle financial transactions, that caused the vulnerability. It now appears other devices that individuals and small businesses may interact with regularly are vulnerable too.
Heart Photo via Shutterstock
Every device which uses OpenSSL from version 1.0.1 to 1.0.1f is vulnerable. The problem is, that numerous embedded systems can not be updated because they have no update mechanism implemented. Thus you have to exchange the complete device or to disconnect it from the network in order to be on the secure side.
If Bit.ly can get hacked and my passwords are vulnerable, it doesn’t surprise me one bit that all these connected devices are vulnerable.
Had to change my Bitly password the other day after reading about it on Small Biz Trends. I’m just gonna assume from now on that everything’s vulnerable or potentially so. It’s easier that way – takes away the element of fear/surprise.
I think the lesson we’re being taught here is: if you value your sensitive information (and who doesn’t), you can either by hyper-vigilant against an attack, or do as much as possible to reduce the means by which you can be hacked.
I’d rather go with the second option: do what I can to minimise the risk, and then get on with the business of living.