PDA

View Full Version : Heartbleed bug affects gadgets everywhere (cellphone, routers, etc)


Rubeus
04-13-2014, 04:46 AM
I also heard Android phones with OS v4.1.1 are affected - http://mashable.com/2014/04/11/devices-running-android-4-1-1-vulnerable-to-heartbleed/

... and NSA has been using this to hack into many places for the last 2 years. :P

The Internet bug Heartbleed doesn't just affect websites. It also has shown up in the gadgets we use to connect to the Internet.

Tech giants Cisco (CSCO, Fortune 500) and Juniper (JNPR) have identified about two dozen networking devices affected by Heartbleed, including servers, routers, switches, phones and video cameras used by small and large businesses everywhere. The companies are also reviewing dozens more devices to determine whether they're impacted by the bug as well.

That means for two years now, someone could have been able to tap your phone calls and voicemails at work, all your emails and entire sessions at your computer or iPhone. You also could have been compromised if you logged into work from home remotely. And you'll probably never know if you were hacked.

"That's why this is being dubbed the biggest exploit of the last 12 years. It's so big and encompassing," said Sam Bowling, a senior infrastructure engineer at the web hosting service Singlehop.

What does exposure actually mean? What could be hacked? Here is a rundown, provided by researchers at security provider SilverSky and Singlehop.

Work phone: At least four types of Cisco IP phones were affected. If the phones are not behind a protective network firewall, someone could use Heartbleed to tap into your phone's memory banks. That would yield audio snippets of your conversation, your voicemail password and call log.

Company video conference: Some versions of Cisco's WebEx service are vulnerable. Hackers could grab images on the shared screen, audio and video too.

VPN: Some versions of Juniper's virtual private network service are compromised. If anyone tapped in, they could grab whatever is on your computer's memory at the time. That includes entire sessions on email, banking, social media -- you name it.

Smartphone: To let employees access work files from their iPhones and Android devices, some companies opt for Cisco's AnyConnect Secure Mobility Client app for iOS, which was impacted by Heartbleed. An outsider could have seen whatever you accessed with that app.

Switches: One type of Cisco software that runs Internet switches is at risk. They're notoriously hard to access, but they could let an outsider intercept traffic coming over the network.

Cisco, Juniper and Apple (AAPL, Fortune 500) did not respond to questions from CNNMoney. But on its site, Juniper told customers, "We are working around the clock to provide fixed versions of code for our affected products."

But fixing the bug on those devices won't be easy. Cisco and Juniper can't just press a button and immediately replace the vulnerable software running on the machines. The onus is on each person or company using those devices. And that's where the problem lies.

"Many small and medium businesses aren't likely to ever upgrade, and they're going to have a tremendous amount of exposure for a very long time," said John Viega, an Web security expert and an executive at security provider SilverSky.

That is why changing passwords isn't necessarily enough to overcome the potential damage caused by the Heartbleed bug. Even if a website isn't vulnerable when communicating with its customers, the company's servers might still be exposed.

The problem doesn't seem to be widespread on the consumer side, though. Linksys and D-Link make many of the routers we use to connect to the Web from home, and they say none of their devices are affected. However, Netgear (NTGR) has not posted updates or returned for comment.

http://money.cnn.com/2014/04/11/technology/security/heartbleed-gear/

Drunken Savior
04-13-2014, 04:52 PM
FYI, this is a fundamental problem with OpenSSL and not some virus or something. Until a website updates their OpenSSL certificate, they are exploitable. So do not think that simply changing your password will make you safe. The website has to first update their OpenSSL certificate and then you have to change your password.

This was accurate as of April 10:

http://i.imgur.com/1Hn3tML.jpg

For other sites, HERE IS A MORE COMPREHENSIVE LIST (http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/).

Additionally, both Steam and Origin were affected and have been patched. So update your passwords there as well!

spider-prime
04-13-2014, 05:41 PM
Once new devices with fixed versions for this exploit is out, I'm buying a new router. Mine is old anyways.

I'm glad I don't use a lot of sites with passwords other than games. So I'm good for all of those :)

but gasps! Someone could have checked my log and found out I go to big titty transvestites sites!

bujeezus
04-14-2014, 11:27 AM
but everybody already knows that.

Escaflowne2001
04-14-2014, 09:16 PM
If it's been a problem for like 2 years isn't a bit late by now anyway....

Joe Redifer
05-22-2014, 05:11 AM
What does updating a certificate mean? Is that like a license? So it expires and all of a sudden it just opens up until you renew? That's a big sign saying "NEVER USE SSL" if I ever saw one. It should be safe no matter the status of the certificate. Is the certificate on paper? I bet it is. It probably even has a gold stamp on it. You then scan it into the computer as a lossy JPG and then everything is patched.