Six Months Later, Thousands of Systems Remain Vulnerable to the Heartbleed Bug
As expected, the Internet of Things has remained highly vulnerable to Heartbleed.
It has been half a year since the Heartbleed bug caused widespread panic. But, though the concern over it has mostly dissipated, the bug itself hasn't: It's still infecting thousands of devices worldwide.
Heartbleed was a vulnerability in the super-popular OpenSSL cryptographic software library that was so ubiquitous that arguably everybody on the web was affected either directly or indirectly. The bug allowed hackers to steal information that would otherwise be protected, such as passwords, bank account information, and the like.
Technologists scrambled to find fixes for the issue, and lots of systems were patched. But, as we reported at the time, the bug has remained unfixed in many web-connected devices, and will likely continue to remain unfixed for a very, very long time.
"Most of the vulnerabilities are in the Internet of Things, rather than web-servers," Robert Graham, a security expert who ran a six month anniversary scan for Heartbleed, told me over the phone.
He announced the scan on his blog, and is yet to fully publish the results, but Graham did post some snippets to Twitter.
"It's unknown systems, like cameras, NASes [storage device], VPNs, home routers, forgotten VMs [virtual machines] in data centers, etc." he tweeted last night.
It also appears that a particular brand of camera is at risk.
"There are 9,000 Hikvision cameras on the Internet just waiting to be exploited with Heartbleed :)," read another tweet.
These things will never get fixed
In a previous scan from June, three months after the initial bug announcement, Graham spotted around 6,000 Heartbleed vulnerable Hikvision cameras. It isn't immediately clear why the number of at risk devices has apparently risen since then.
Notably, the DVRs used to record video from Hikvision security cameras have been hacked in the past, and used to mine Bitcoin. Although, because of their low processing power, it is hardly the most efficient way to go about grinding a load of cryptocurrency.
In a test conducted one month after Heartbleed was announced, Graham found that roughly 300,000 systems remained vulnerable, down from roughly 600,000 vulnerable systems immediately after the bug became well known, according to another of Graham's scans.
So, vulnerabilities have certainly been patched, but Graham isn't at all surprised that many devices are still particularly vulnerable.
"I've scanned this many times now, and it's pretty much which I expected," Graham told me.
Graham, along with some other experts already predicted that the Heartbleed bug will lurk in the Internet of Things for decades to come. "Any scientifically large organization is unaware of all the sorts of equipment they've got attached to the internet," Graham told Motherboard in April.
"People aren't going to upgrade so they're going to leave systems untouched on the internet, exposing things that'll never be fixed," he added.
Just because the mass hysteria has gone away, doesn't mean the vulnerability leaves with it. We'll update this post when full numbers become available.