The Heartbleed vulnerability in OpenSSL could affect networking hardware, routers and embedded systems, experts have warned - and these will be much harder to clean up than web services.
The Heartbleed flaw leaks a small slice of text from stored memory, potentially exposing passwords, encryption keys and other data. This has obvious implications for web services, but OpenSSL is also used in hardware and devices. Cisco has warned that 13 of its products, including IP phones, switches and servers, use the affected version, while networking firm Juniper warned of multiple issues. Both firms are set to issue updates.
Mark Schloesser, a researcher at security firm Rapid7, says it's not clear how widespread the problem might be, but believes it's safe to assume that "quite a few embedded devices use vulnerable library versions".
He added however that most embedded devices won't be reachable from the public internet, so Heartbleed should only become a problem if they're misconfigured.
"My advice would be to double check if routers and other gear is correctly configured to not expose management interfaces etc. to the internet," he added. "Updates should be applied in all cases, regardless of Heartbleed."
Unfortunately, the reality is that such devices typically aren't updated often, or at all. "We would not expect anyone to update their devices just because of Heartbleed, as in a lot of cases there are other flaws already present that might be even more problematic," he said.
That means the flaw could stick around for a long time. According to Jeff Forristal, CTO of Bluebox Security, "OpenSSL is extremely pervasive on all manners of devices, systems and servers; it is going to take the ecosystem significant time to get everything updated, and we will be looking at a 'long tail' situation that could easily extend into years."
David Emm of Kaspserky Labs added that if a consumer's modem or other device is affected, there's little they can do but wait for a patch. "People are in a similar position with devices as they are with online providers: there's not much they can do themselves to fix it."
Android
Google has confirmed that Android 4.1.1 is also affected by Heartbleed. It's not clear how many users this represents, but Android 4.1 runs on 34% of Android devices, so the exposure could be significant. A patch is being rolled out, but even after this is done, customised Android environments and third-party apps could still be vulnerable.
"We’ve only seen one affected version of the Android OS based on the Android open source project source code," said Andrew Blaich, Android team lead of Bluebox Security. "However, this does not preclude manufacturers from changing how OpenSSL is configured in their custom builds, since Android is open source,"
"While there is the Android System library that a user needs to be concerned with, they also need to know that application developers can ship their own version of OpenSSL as an additional library. But the fix for the application developers is far easier, as they only need to change the version of the library they use and publish an update of their app," he added. "So while you may have a device that is using a safe version of OpenSSL, one of your apps may not be so safe."
Security researchers at Bluebox Labs have published a tool on the Google Play Store that scans your device and applications to look for Heartbleed vulnerabilities.
What next?
Heartbleed has exposed the "sandy" foundation the internet is built on - and that's a problem, as we connect more devices and create an Internet of Things, said one researcher.
We keep discovering that stuff we believe was safe is not, and yet we continue to barrel down the road of building yet more and exchanging even more information
Geoff Webb, senior director for solution strategy for NetIQ, warned that more needs to be done to secure the web before we extend it. "We keep discovering that stuff we believe was safe is not, and yet we continue to barrel down the road of building yet more and exchanging even more information," he said. "At some point we have to take stock of what actually is secure and private and safe."
Most major web firms have rolled out patches for Heartbleed already, but that's harder to do for devices. "Those servers are sitting in a data centre, and they can get to them quickly," he said. "What if a vulnerability was discovered in the device that controls all the interaction of the consumer electronics in your house, or in a smart car, or in the electrical grid?"
Webb argues that companies need to admit that embedded, connected devices can't be perfectly secure, and must come up with a way to deal with problems when the inevitable crop up.
"How do you respond when this happens again? Because if history teaches us anything, it's going to happen again," he said. "When we build that stuff, how are we going to build it in such a way that you can turn around and update it quickly? That's the question that we as consumers we should be asking of the people building smart fridges, and smart TVs, and medical devices."
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
