Every so often, vulnerabilities are found which turn the
information security industry upside down, both from a positive and negative
sense. The recent OpenSSL vulnerability is no exception. Having surfaced a
short time back, it sent social media into a spin, websites and toolsets having
being updated to explain, dissect and help exploit the vulnerability have
popped-up everywhere. As have the theories that governments may have
been using this vulnerability since as early as 2011.
Heartbleed, so aptly named because it is the Heartbeat
functionality in OpenSSL that “bleeds” sensitive information, has launched
itself into the limelight. Raising concerns amongst professionals, business
persons and the general public alike.
One avenue that has not however been focused on too greatly
(although mentioned before) is how many “embedded” and/or “appliance” devices
are running the vulnerable version of OpenSSL? These usually have much longer
and more fragmented patch updates than commercial web-servers and operating
systems, especially when firmware is only obtainable from the manufacturer.
We conducted research into an avenue that is not often
mentioned as a risk for the Heartbleed vulnerability –ADSL/DSL users. Using
legitimate and non-intrusive means of identifying hosts with the Heartbleed
vulnerability, we ascertained that there are many such devices, falling into
the following categories:
Network-Attached Storage Devices (multiple brands)
Routers/UTM Devices (multiple brands)
CCTV Camera NVRs (multiple brands)
Small-Business Firewalls (multiple brands)
Voice-Over-IP (VOICE) Devices (multiple brands)
(it was not in the scope of
this article to name the manufacturers of these devices)
The devices above are not estimated to be available and
vulnerable – they are online, and are
vulnerable. This raises much concern around the data that is exposed to
would-be attackers trying to compromise these systems.
Keep in mind that the Heartbleed vulnerability allows one to
obtain pieces of memory from the SSL process that may contain usernames,
passwords and authentication cookies. In our internal lab experiments, we found
this to be easily obtainable in almost 90% of the tests done.
It’s a disquieting thought, not only that so many devices
with sensitive data (even hard disks!) are exposed to the Internet, but also it
becomes even more important when we consider that these devices are now
vulnerable – most without even new firmware on their manufacturers websites.
Embedded and appliance-like devices may be the answer for
out-of-the-box and affordable solutions for many services, but in the case of
this article one has to ask – Is your internet-connected appliance
bleeding your confidential data?