back to article Thought Heartbleed was dead? Nope – hundreds of thousands of things still vulnerable to attack

More than a year after its introduction, the notorious HeartBleed security flaw remains a threat to more than 200,000 internet-connected devices. This according to Shodan, a search tool that (among other things) seeks out internet-of-things (IoT) connected devices. Founder John Matherly posted a map the company built showing …

  1. Anonymous Coward
    Anonymous Coward

    In other news, the total number of honeypot servers used by security researchers has now reached 200,000.

  2. gerdesj

    "In other news, the total number of honeypot servers used by security researchers has now reached 200,000."

    Good point AC: I have played with those in the past and they can easily be made to look like a home router with an assortment of vulns ready.

    To be honest though I usually go for a ssh or rdp daemon to harvest bad username and password lists that I then ban. To be honest the baddies generally try administrator and root the vast majority of the time (70%+). The next favourites are service names (mail, sql etc), test and user (with or without a number) and similar. Then you get to watch a long list of initial+surname efforts. Yawn.

  3. Charles Manning

    Ok,... I'll bite

    Heartbleed can be a potential problem in some systems.

    That does not mean that in all cases where heartbleed code runs that it can be used to access anything useful.

    It does not matter if you can pick a cupboard lock if there's nothing to steal. SImilarly heartbleed will only bleed if the attackable 64kbyte area holds useful data.

    Heartbleed only works in certain usage situations and many of those do not apply to embedded systems.

    The system I'm currently working on has ssh, but even if it has heartbleed that would not matter due to the way ssh is used.

    1. Michael Wojcik Silver badge

      Re: Ok,... I'll bite

      Since Heartbleed is an OpenSSL exploit, not an SSH one, it''s hard to see how "the way ssh is used" is at all relevant.

      Because of OpenSSL's memory management, Heartbleed is pretty much all of a problem, unless your threat model doesn't rely on OpenSSL to do anything requiring a secret. Maybe you're only using OpenSSL to validate certificates, for example; in that case Heartbleed wouldn't matter. But if there's any encryption being done with OpenSSL, then Heartbleed is a problem.

      heartbleed will only bleed if the attackable 64kbyte area holds useful data

      Largely irrelevant, because OpenSSL can be coaxed into putting sensitive data into the vulnerable area with high probability.

      IIRC (it's been a while since I looked at the vulnerable code), you can block Heartbleed in various ways even with vulnerable versions, for example by blocking DTLS before it reaches an OpenSSL-based application. So if Shodan's test is "version of OpenSSL with the Heartbleed vulnerability", then it could be returning some false positives.

  4. PacketPusher


    We're Number 1! We're Number 1! Oh, wait. This isn't a good thing? Dang.

  5. Anonymous Coward
    Anonymous Coward

    shodan != shogan

    200,000 out out how many? Just how big is the storm in this teacup?

    1. Nextweek

      Re: shodan != shogan

      200,000 out of 180,000,000 websites = 0.1%

  6. Camilla Smythe

    All of this could be solved..

    If you listened to Cryptosoft. Regular updates HERE,

    1. Michael Wojcik Silver badge

      Re: All of this could be solved..

      "solved" how?

      They certainly have an impressive array of marketing materials, but I don't see how they're magically going to replace vulnerable software in thousands of embedded systems. And that's assuming you purchase their product, and not simply "listen" to them.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019