The Channel logo


By | Shaun Nichols 15th September 2015 19:05

Thought Heartbleed was dead? Nope – hundreds of thousands of things still vulnerable to attack

IoT crawler reveals map of at-risk devices and computers

More than a year after its introduction, the notorious HeartBleed security flaw remains a threat to more than 200,000 internet-connected devices.

This according to Shodan, a search tool that (among other things) seeks out internet-of-things (IoT) connected devices. Founder John Matherly posted a map the company built showing where many of the world's remaining vulnerable devices lay:

Heartbleed caused a minor panic when it was first uncovered in 2014. The flaw allowed an attacker to exploit weaknesses in the OpenSSL software library to extract passwords and other sensitive information from a targeted device.

The issue was traced back to a missing bounds check that allowed people to repeatedly request 64KB chunks of data from a server's memory, revealing private stuff like crypto-keys and passphrases.

While many netizens scrambled to update their software to address the vulnerability, more than a year later, thousands of devices remain at risk either due to ignorance, or the simple fact that their gadgets cannot be patched easily, if at all.

Of the 200,000-plus vulnerable devices, 57,272 were housed in the United States. Germany was second with 21,060 Heartbleed-prone devices and China had 11,300. France was fourth with 10,094 followed by the UK with 9,125.

"Clearly, some manufacturers and IT teams have dropped the ball, and failed to update vulnerable systems," noted security consultant Graham Cluley.

"My bet is that there will always be devices attached to the internet which are vulnerable to Heartbleed."

Matherly noted that his Shogan search tool can be used by administrators to check whether any of their connected devices remain vulnerable to Heartbleed. In addition to updating OpenSSL, it is recommended that administrators change keys and dump session cookies as a further security measure. ®

comment icon Read 9 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


Suit-and-tie-wearing man tries to meditate, take deep breaths in faux yoga pose. Photo by Shutterstock
Emotional intelligence, not tech skills, is the way to woo suits
League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe