Despite a year passing, the infamous Heartbleed flaw is still affecting hundreds of thousands of devices, in the main Internet of Things-type systems.
Around 200,000 devices have been discovered by IoT search engine Shodan to harbour the bug. This suggests that the OpenSSL flaw may never be entirely eliminated.
Shodan founder John Matherly posted on Twitter a world map displaying where many of the vulnerable connected devices were. He claims that out of the more than 200,000 devices discovered, there are 57,272 unprotected devices in the US, 21,660 in Germany, 11,300 in China, 10,094 in France and 9,125 in the UK.
The Heartbleed vulnerability was discovered in April last year and at the time, around 74 percent of Global 2000 organisations had not completed remediation of the bug. Later that year, SCMagazineUK.com reported that more than half of the world's major corporates have servers that are still vulnerable to the flaw.
The search engine that discovered the still-affected devices can find out the technical detail of devices connected to the web and drill down into geographic regions. While this could help attackers target vulnerable systems, it can also allow administrators to find their devices that are still unprotected.
“The Shodan search results also tell you when a device is vulnerable to Heartbleed (as well as other SSL info),” he said in an earlier tweet.
Security expert Graham Cluley said that Shodan could help in finding security threats and help in tracking down devices visible to the internet.
“IT teams can use tools like Shodan to help them check their company's security, testing with various filters to determine if web servers – for instance – are running a particular version of Apache, or if devices which shouldn't be visible to the outside world are revealing their existence online,” he said in a blog post.
“Clearly, some manufacturers and IT teams have dropped the ball, and failed to update vulnerable systems. My bet is that there will always be devices attached to the internet which are vulnerable to Heartbleed.”
TK Keanini, CTO at Lancope, told SCMagazineUK.com that “as predicted, the security of IoT is more about hygiene than it is point in time security.
“We need to make it mandatory that these connected devices have an automated way to remain updated. The internet cannot afford a growing population of insecure devices and this is what will happen if we do not take warning.”
Jim Carlsson, CEO of Clavister, told SC that patching is a huge undertaking for organisations but those efforts can be undermined by large number of devices that are running old hardware, have slow platforms or limited connectivity and are incredibly difficult to update.
“In many instances it will require a huge amount of time and resource to even locate the coding error that causes Heartbleed in these legacy devices,” he said.
“Furthermore, many of these devices may never be patched against the vulnerability, either because the vendor no longer exists or the user simply isn't aware of the issue. As a result, the patching cycle is becoming increasingly prolonged, resulting in a greater window of opportunity for attackers to exploit vulnerabilities.”
Carl Leonard, principal security analyst at Raytheon Websense, told SC that part of the problem is that these IoT devices are being designed without security at the front and forefront.
“Unless manufacturers build automatic update capabilities into IoT devices, this problem will continue for a long time to come. If businesses don't take action, then with the increasing rise of connected devices coming into the marketplace, this is only going to make life more difficult for those that don't have appropriate security processes in place,” he said.
Chris Oakley, principal security consultant at Nettitude, said that following a major security disclosure, there is typically an initial mass patching exercise, followed by a ‘long tail' of remaining vulnerability that lasts for years.
“The ‘long tail' of vulnerability, on the other hand, most often applies to obsolete or hard to update systems. IoT devices are often deployed with speed and cost in mind, rather than security,” he told SC.
“It is often not easy to apply updates to IoT devices and, in many cases, it's not even possible. These devices are usually shipped with a ‘deploy and forget' mentality. Consequently, we can expect to see the problem remain for a long time to come,” Oakley said.
Tom Court, cyber-crime researcher at Alert Logic, told SC that in corporate and industrial environments, mitigations to counter the threat of attacks against unmaintained devices can be put in place.
“These countermeasures are most effective in the form of continuous network monitoring to detect common attacks as they occur and automated vulnerability scanning solutions that can detect whether devices on your network are vulnerable, without waiting for an attack to occur,” he said.
Court adds that closer inspection of the Shodan results indicate that approximately 10 percent of the devices are in cloud-hosting providers, implying that at least 20,000 devices do not fall under the banner of ‘IoT' and should fall under normal security and patching best practices.
“The fact that they have not reinforces the case that patching cannot be relied upon and that alternatives such as network monitoring and automated vulnerability scanning should be considered to help secure your cloud infrastructure,” he said.
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, told SC that updating a device presents new risks as well. “If a vendor could update a device, bad guys might be able too as well,” he said.
“So it's no surprise to find IoT devices more vulnerable. This is only the start. And the problem of knowing how to secure keys and certificate or remediate them following a vulnerability like Heartbleed is not just the problem domain of IoT,” said Bocek.
