Every so often, vulnerabilities are found which turn the information security industry upside down, both from a positive and negative sense. The recent OpenSSL vulnerability is no exception. Having surfaced a short time back, it sent social media into a spin, websites and toolsets having being updated to explain, dissect and help exploit the vulnerability have popped-up everywhere. As have the theories that governments may have been using this vulnerability since as early as 2011.
Heartbleed, so aptly named because it is the Heartbeat functionality in OpenSSL that “bleeds” sensitive information, has launched itself into the limelight. Raising concerns amongst professionals, business persons and the general public alike.
One avenue that has not however been focused on too greatly (although mentioned before) is how many “embedded” and/or “appliance” devices are running the vulnerable version of OpenSSL? These usually have much longer and more fragmented patch updates than commercial web-servers and operating systems, especially when firmware is only obtainable from the manufacturer.
We conducted research into an avenue that is not often mentioned as a risk for the Heartbleed vulnerability –ADSL/DSL users. Using legitimate and non-intrusive means of identifying hosts with the Heartbleed vulnerability, we ascertained that there are many such devices, falling into the following categories:
Network-Attached Storage Devices (multiple brands)
Routers/UTM Devices (multiple brands)
CCTV Camera NVRs (multiple brands)
Small-Business Firewalls (multiple brands)
Voice-Over-IP (VOICE) Devices (multiple brands)
(it was not in the scope of this article to name the manufacturers of these devices)
The devices above are not estimated to be available and vulnerable – they are online, and are vulnerable. This raises much concern around the data that is exposed to would-be attackers trying to compromise these systems.
Keep in mind that the Heartbleed vulnerability allows one to obtain pieces of memory from the SSL process that may contain usernames, passwords and authentication cookies. In our internal lab experiments, we found this to be easily obtainable in almost 90% of the tests done.
It’s a disquieting thought, not only that so many devices with sensitive data (even hard disks!) are exposed to the Internet, but also it becomes even more important when we consider that these devices are now vulnerable – most without even new firmware on their manufacturers websites.
Embedded and appliance-like devices may be the answer for out-of-the-box and affordable solutions for many services, but in the case of this article one has to ask – Is your internet-connected appliance bleeding your confidential data?