Digital Identity Blog

Thought leadership for cybersecurity, fraud and digital channel professionals

Heartbleed Part III: No Tourniquet for Heartbleed. Now the Flaw Turns Up in Devices (for Example Routers) That Connect to the Internet.

By ThreatMetrix
ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches.
Follow ThreatMetrix ThreatMetrix's Most Recent Posts:

If you thought you heard all the news there was about risks associated with Heartbleed — uh-uh. There’s more. But only hackers and masochists will be pleased to hear it. (On the very remote chance you haven’t heard about Heartbleed, the flaw found OpenSSL, which helps encrypt information on the Internet, please see our blog Heartbleed Part II.)

Here’s the latest. According to a story by Nicole Perlroth and Quentin Hardy in The New York Times, Heartbleed could cause damage to the guts of the Internet and the wide variety of devices that connect to it. (The following has been edited to fit our format.)

Cisco Systems, the dominant provider of gear to move traffic through the Internet, said its big routers and servers, as well as its online servers …were not affected. If they had been, that would have had a significant impact on virtually every major company that connects to the Internet.

Certain products the company makes were affected, it said — some kinds of phones that connect to the Internet, a kind of server that helps people conduct online meetings, and another kind of device used for office communications. Cisco also posted a list of products it had examined for the vulnerability, which it was updating as it continued inspecting its equipment.

Juniper Networks, also said its main products were not affected. The only problem it found was in a kind of device for creating private communications on the Internet.

“Besides [the] one product, the exposure for our customers is minimal, if any,” said Michael Busselen, vice president of corporate communications at Juniper.

Chuck Mulloy, a spokesman for Intel, said his company had been looking through its products for vulnerabilities for several days and so far had found nothing. He said, however, that the search was not yet done.

Qualcomm, a maker of mobile technology, said it was still checking its products….

For most people, the web — with sites like Facebook and Google — is the most visible part of the Internet. But hardware like home routers and printers is also connected to the Internet, and OpenSSL is built into some of this hardware.

“That’s why this is so nasty,” said [security expert] George Kurtz…. “OpenSSL goes far beyond just websites. It’s implemented in email protocols and all kinds of embedded devices.”

Most of the equipment made by Cisco and Juniper was unaffected because the companies did not use OpenSSL for their encryption.

[Other security] experts say personal home routers often incorporate OpenSSL, which could make them vulnerable. But they note that because many home routers are configured to block outside traffic, the risk of a hacker using the Heartbleed bug to lift data like passwords to online banking and email accounts is low. This is particularly so, they said, when there are still thousands of vulnerable websites where this data could be pulled from much more easily.

Nevertheless, Mr. Kurtz said, users would be wise to check with their home router manufacturers to upgrade their devices if they want to be absolutely secure.

Security researchers say that while hackers have been posting lists of vulnerable websites, there does not appear to have been an increase in black market sales of sensitive data, like passwords.

Security experts say that upgrading and cleaning up those systems, if they are affected, could take years.

“It’s one thing to get all of these servers at Yahoo, Google and everyone else fixed, but it’s a whole other thing to get these embedded devices fixed up,” Mr. Kurtz said. “I don’t see them getting updated any time soon.”

Here’s hoping there’s no need for a Heartbleed, Part IV.

By ThreatMetrix Posted