Many devices will never fix the Heartblee heartbleed Vulnerability

This article is published by Tom Simonite on the TechnologyReview website in the article titled "connecting Devices Will Never Be Patched to Fix the Heartbleed Bug, this article describes the OpenSSL vulnerability and mentions that many online devices may never be able to fix this vulnerability because of the lack of necessary security management and software updates, which does not seem to cause Weihai, however, there are very high security risks.

OpenSSL TLS heartbeat read remote information leakage (CVE-2014-0160)

Severe OpenSSL bug allows attackers to read 64 KB of memory, fixed in half an hour in Debian

OpenSSL "heartbleed" Security Vulnerability

Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.

The most important security issue this week is the OpenSSL heartbleed vulnerability, which affects more than 2/3 websites. Almost all Internet users need to recognize the severity of this vulnerability, you must update your network account password. However, many systems with this vulnerability are not in the public eye and may never be repaired.

The "bleeding" vulnerability comes from the OpenSSL protocol, which is widely used in software that connects the home, office, and enterprise to the Internet. This vulnerability will continue to exist in network hardware, home automation systems, and key industry control systems for many years because these systems are frequently updated.

Devices on the Internet usually run this simple Web server, which allows administrators to access the network control panel. In most cases, these servers are secured through the OpenSSL protocol, but Philip Lieberman, chairman of the security Software company Lieberman Software, said the Software needs to be updated. However, many enterprises do not regard vulnerability updates as a matter of high priority. "Device manufacturers do not provide vulnerability patches for the vast majority of devices. A large number of patches need to be updated by users themselves ."

Lieberman said that TV set-top boxes and home routers will become the most affected devices, "ISP vendors now have millions of vulnerable devices on their networks ."

The heartbleed vulnerability also affects the security of many enterprises. Many enterprise-level network facilities, industrial and commercial automation systems rely on OpenSSL, and these devices are hardly updated. Someone previously initiated a large-scale network address scan on the Internet and found that hundreds of thousands of such devices have various known security vulnerabilities, including IT devices and traffic control systems, these system vulnerabilities are not fixed, let alone OpenSSL vulnerabilities.

Jonathan Sander, strategy and inspector at STEALTHbits Technologies, believes that "unlike those large servers with IT staff, these networked devices with OpenSSL vulnerabilities won't attract IT staff's attention. The OpenSSL protocol, like a defective engine, is installed on all cars and motorcycles ."

It is difficult to estimate the number of connected devices that have the "heartbleed" vulnerability because the OpenSSL protocol has existed for many years. Mark Schloesser, security investigator at the security company Rapid7, said: "This vulnerability exists in all OpenSSL protocol versions used during the period from January 1, December 2011 to when the vulnerability was revealed ."

Another unknown problem is that people do not know how much data hackers can obtain by exploiting the "heartbleed" vulnerability. Schloesser says that different systems can obtain different data. Taking Yahoo's server as an example, hackers can exploit the "heartbleed" vulnerability to obtain the user's password. The information leaked by other enterprise websites is not valuable to Yahoo.

He also said, "Many people are trying to use this vulnerability to conduct large-scale network intrusion ." He pointed out that since the vulnerability broke out, the login logs on the Web server showed a significant increase in activity. Many people tried to find a system with security risks, and there were scripts on the network to detect website vulnerabilities.

Sander said that although many devices, such as the networked thermostat, do not contain valuable information, they can allow hackers to fully log on to and control it, in addition, you only need a bit of data to find out if there is anyone in the household using the thermostat.

For more information about Heartbleed, click here.
Heartbleed: click here