Thought Heartbleed was dead? Nope – hundreds of thousands of things still vulnerable to attack
IoT crawler reveals map of at-risk devices and computers
More than a year after its introduction, the notorious HeartBleed security flaw remains a threat to more than 200,000 internet-connected devices.
This according to Shodan, a search tool that (among other things) seeks out internet-of-things (IoT) connected devices. Founder John Matherly posted a map the company built showing where many of the world's remaining vulnerable devices lay:
FYI: there are still more than 200,000 devices on the Internet vulnerable to Heartbleed pic.twitter.com/fQavZJJmNW— John Matherly (@achillean) September 15, 2015
Heartbleed caused a minor panic when it was first uncovered in 2014. The flaw allowed an attacker to exploit weaknesses in the OpenSSL software library to extract passwords and other sensitive information from a targeted device.
The issue was traced back to a missing bounds check that allowed people to repeatedly request 64KB chunks of data from a server's memory, revealing private stuff like crypto-keys and passphrases.
While many netizens scrambled to update their software to address the vulnerability, more than a year later, thousands of devices remain at risk either due to ignorance, or the simple fact that their gadgets cannot be patched easily, if at all.
Of the 200,000-plus vulnerable devices, 57,272 were housed in the United States. Germany was second with 21,060 Heartbleed-prone devices and China had 11,300. France was fourth with 10,094 followed by the UK with 9,125.
"Clearly, some manufacturers and IT teams have dropped the ball, and failed to update vulnerable systems," noted security consultant Graham Cluley.
"My bet is that there will always be devices attached to the internet which are vulnerable to Heartbleed."
Matherly noted that his Shogan search tool can be used by administrators to check whether any of their connected devices remain vulnerable to Heartbleed. In addition to updating OpenSSL, it is recommended that administrators change keys and dump session cookies as a further security measure. ®