Heartburn: 200,000 devices 'still susceptible' to Heartbleed bug

As the patching cycle becomes ever longer, some experts are pushing for mandatory security updating of critical IoT devices.

Heartburn: the lingering after effects of OpenSSL flaw still haunt devices
Heartburn: the lingering after effects of OpenSSL flaw still haunt devices

Despite a year passing, the infamous Heartbleed flaw is still affecting hundreds of thousands of devices, in the main Internet of Things-type systems.

Around 200,000 devices have been discovered by IoT search engine Shodan to harbour the bug. This suggests that the OpenSSL flaw may never be entirely eliminated.

Shodan founder John Matherly posted on Twitter a world map displaying where many of the vulnerable connected devices were. He claims that out of the more than 200,000 devices discovered, there are 57,272 unprotected devices in the US, 21,660 in Germany, 11,300 in China, 10,094 in France and 9,125 in the UK.

The Heartbleed vulnerability was discovered in April last year and at the time, around 74 percent of Global 2000 organisations had not completed remediation of the bug. Later that year, SCMagazineUK.com reported that more than half of the world's major corporates have servers that are still vulnerable to the flaw.

The search engine that discovered the still-affected devices can find out the technical detail of devices connected to the web and drill down into geographic regions. While this could help attackers target vulnerable systems, it can also allow administrators to find their devices that are still unprotected.

“The Shodan search results also tell you when a device is vulnerable to Heartbleed (as well as other SSL info),” he said in an earlier tweet.

Security expert Graham Cluley said that Shodan could help in finding security threats and help in tracking down devices visible to the internet.

“IT teams can use tools like Shodan to help them check their company's security, testing with various filters to determine if web servers – for instance – are running a particular version of Apache, or if devices which shouldn't be visible to the outside world are revealing their existence online,” he said in a blog post.

“Clearly, some manufacturers and IT teams have dropped the ball, and failed to update vulnerable systems. My bet is that there will always be devices attached to the internet which are vulnerable to Heartbleed.”

TK Keanini, CTO at Lancope, told SCMagazineUK.com that “as predicted, the security of IoT is more about hygiene than it is point in time security.  

“We need to make it mandatory that these connected devices have an automated way to remain updated.  The internet cannot afford a growing population of insecure devices and this is what will happen if we do not take warning.” 

Jim Carlsson, CEO of Clavister, told SC that patching is a huge undertaking for organisations but those efforts can be undermined by large number of devices that are running old hardware, have slow platforms or limited connectivity and are incredibly difficult to update.

“In many instances it will require a huge amount of time and resource to even locate the coding error that causes Heartbleed in these legacy devices,” he said. 

Page 1 of 2