The Channel logo

News

By | Shaun Nichols 15th September 2015 19:05

Thought Heartbleed was dead? Nope – hundreds of thousands of things still vulnerable to attack

IoT crawler reveals map of at-risk devices and computers

More than a year after its introduction, the notorious HeartBleed security flaw remains a threat to more than 200,000 internet-connected devices.

This according to Shodan, a search tool that (among other things) seeks out internet-of-things (IoT) connected devices. Founder John Matherly posted a map the company built showing where many of the world's remaining vulnerable devices lay:

Heartbleed caused a minor panic when it was first uncovered in 2014. The flaw allowed an attacker to exploit weaknesses in the OpenSSL software library to extract passwords and other sensitive information from a targeted device.

The issue was traced back to a missing bounds check that allowed people to repeatedly request 64KB chunks of data from a server's memory, revealing private stuff like crypto-keys and passphrases.

While many netizens scrambled to update their software to address the vulnerability, more than a year later, thousands of devices remain at risk either due to ignorance, or the simple fact that their gadgets cannot be patched easily, if at all.

Of the 200,000-plus vulnerable devices, 57,272 were housed in the United States. Germany was second with 21,060 Heartbleed-prone devices and China had 11,300. France was fourth with 10,094 followed by the UK with 9,125.

"Clearly, some manufacturers and IT teams have dropped the ball, and failed to update vulnerable systems," noted security consultant Graham Cluley.

"My bet is that there will always be devices attached to the internet which are vulnerable to Heartbleed."

Matherly noted that his Shogan search tool can be used by administrators to check whether any of their connected devices remain vulnerable to Heartbleed. In addition to updating OpenSSL, it is recommended that administrators change keys and dump session cookies as a further security measure. ®

comment icon Read 9 comments on this article or post a comment alert Send corrections

Opinion

Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella
Stranded_ships

Chris Mellor

Thousands of layoffs announced as spinning rust enters its death spiral

Features

STRASBOURG, JUNE 29, 2016: The seat of the European Parliament. by Marco Aprile for shutterstock. EDITORIAL USE ONLY
Plan b, image via Shutterstock
EU workers, new markets: post-Brexit pressure on May & Co
Tough question, pic via Shutterstock
Honest mistake with your licensing? Audit police look at it on a 'case by case basis'