Heartbleed: routers and phones also at risk, says security expert
Manufacturers must patch routers, video conferencing software and desktop phones, as scale of software vulnerability continues to grow
by Alex Hern
April 14, 2014
Heartbleed, the software vulnerability in hundreds of thousands of web servers which laid their contents open to attackers, also affects consumer devices, security experts have warned.
Hardware including smartphones, routers and cable boxes are all potentially affected, posing the risk of anything from data theft to attackers seizing control of the vulnerable device.
“Network-connected devices often run a basic web server to let an administrator access online control panels,” says Philip Lieberman, president of security firm Lieberman Software. “In many cases, these servers are secured using OpenSSL and their software will need updating.
“However, this is unlikely to be a priority. The manufacturers of these devices will not release patches for the vast majority of their devices, and consumers will patch an insignificant number of devices.”
Some manufacturers have confirmed that their devices are not affected. Belkin says that its routers, as well as those of its Linksys subsidiary, are safe: one range does use OpenSSL, the software which contains the Heartbleed vulnerability, but uses a version which predates the flaw.
But others are not so lucky. Networking giant Cisco has confirmed that a number of its products are vulnerable, including desktop phones, video conferencing hardware and VPN software. It is investigating a further 83 products for potential vulnerabilities.
Neither Netgear nor BT returned requests for comment, and have not spoken publicly about whether or not their devices are vulnerable.
For affected devices, operators are slowly releasing patches, which must be downloaded and installed. But many users will not apply the updates, warns Lieberman.
“The list of compromised devices is huge,” he says. “Most of the devices are not going to be patched because their users do not know how to do it since they bought a router or firewall, not OpenSSL (as far as they are concerned).
“Many of the devices are from manufacturers that are no longer supporting the previously shipped devices as a matter of policy and business model,” he adds. “What do you expect in the way of support when you buy a device or embedded system for less than $100 and the company is making $10.00?”
As with affected websites, users should not change passwords until they are sure the vulnerability has been fixed. The best way to be certain is to wait for the affected company to specifically say it is time to change passwords: examples of companies who have done so include Tumblr, Flickr, IFTTT and Dogecoin service DogeAPI.
SSL keys stolen
One potential avenue of hope was blocked off on Friday, when online services company CloudFlare confirmed that four people had successfully stolen SSL certificates from an affected server.
SSL is the basis of security online, and is the protocol that leads to browsers displaying a padlock icon to show that a given website is secure. One of the attacks that the Heartbleed vulnerability allows is theft of the private key for SSL, allowing an attacker to decrypt intercepted messages or impersonate the site.
Cloudflare had previously written that “we have reason to believe… that it may in fact be impossible” to steal the keys from their servers, in contrast to claims made by the researchers who uncovered the flaw. But the company issued a challenge to the outside world to prove them wrong, and four separate researchers managed to steal the information over the next 48 hours.
The result of the challenge underscores that it’s not enough for a site vulnerable to Heartbleed to fix the server: it also needs to treat the SSL key as stolen, and issue a new one. Cloudflare described the possibility of a stolen key as “the disaster scenario, requiring virtually every service to reissue and revoke its SSL certificates. Note that simply reissuing certificates is not enough, you must revoke them as well.”
Since the news of Heartbleed broke on April 6, more than 10,000 sites have revoked and re-issued their certificates, giving some idea of the scale of the problem.