Heartbleed is still offering rich pickings for security researchers, and presumably hackers, with Luis Grangeia of Sysvalue demonstrating attacks against wireless (and some wired) networking infrastructure using libraries linked to vulnerable OpenSSL versions. The Lisbon-based researcher has demonstrated that this affects …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Monday 2nd June 2014 02:54 GMT Anonymous Coward

"The Lisbon-based researcher has demonstrated that this affects wireless infrastructure, some Android devices, Radius servers, and possibly reaching as far as iOS, OS X, and VoIP phones."

Apple uses their own SSL/TLS implementation and when they do include OpenSSL it is an older version that is not vulnerable to Heartbleed.

Cisco gear isn't impacted either as they use an older version of OpenSSL. Ironically, the latest ASA (firewall) software 9.2(1) has a vulnerable version of OpenSSL but since the keep alive is not implemented, it isn't vulnerable.

0 0
1. Monday 2nd June 2014 05:23 GMT Anonymous Coward
  
  "possibly vulnerable"
  
  The slideshow lists a whole range of stuff as "possibly" vulnerable. Just about anything is possibly vulnerable in the mind of a security researcher, as it is only possible for him to prove something is vulnerable, he can't prove the reverse.
  
  Obviously it is in the interest of someone who makes their living doing security auditing/consulting/etc. to make heartbleed sound as bad as possible by casting doubt on everything out there. More demand, higher fees!
  
  3 2
  1. Monday 2nd June 2014 06:23 GMT big_D
    
    Re: "possibly vulnerable"
    
    Aha, but you are forgetting, if people use those lovely iDevices to connect to an affected piece of networking equipment or an affected server, they can still be spied upon! They have to get Cupertino into the equation somewhere, otherwise it wouldn't be reported.
    
    How else is he going to get his 5 minutes of fame?
    
    0 1
    1. Monday 2nd June 2014 19:49 GMT Anonymous Coward
      
      @big_D
      
      Of course using that line of reasoning every TCP/IP capable device from an unpatched original XP install to a device running a fully formally verified OS (if such a thing even existed) can be "spied upon", if whatever it connects to has been hacked, allowing the decrypted payload to be collected and examined.
      
      0 0
  2. Monday 2nd June 2014 06:27 GMT Another User
    
    Re: "possibly vulnerable"
    
    On the other hand this "researcher" discredits himself. I did not bother to look at the original article after seeing these false statements.
    
    0 2
    1. Monday 2nd June 2014 10:25 GMT Anonymous Coward
      
      Re: "possibly vulnerable"
      
      I bothered. Excellent work.
      
      0 0
      1. Monday 2nd June 2014 15:04 GMT theblackhand
        
        Re: "possibly vulnerable"
        
        So any RADIUS servers using a flawed released of OpenSSL are vulnerable, assuming they haven't already been updated, for TLS-based EAP authentication such as EAP-TLS/EAP-TTLS/EAP-PEAP.
        
        I would imagine that the affected install base for this would be tiny (an OpenSSL 1.x release that hadn't been patched) with most installs either using OpenSSL 0.9.x or earlier for old systems or a patched release for current systems.
        
        WEP/WPA/WPA2 pre-shared key aren't affected - they aren't that secure, but not because of Heartbleed.
        
        0 0
2. Monday 2nd June 2014 12:13 GMT JeffyPoooh
  
  AC wrote: "Cisco gear isn't impacted either..."
  
  Really? What's this* then?
  
  * http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
  
  0 0
Monday 2nd June 2014 09:27 GMT Grease Monkey

"as it is only possible for him to prove something is vulnerable, he can't prove the reverse."

If we are talking about a specific vulnerability then a simple test will show that something is vulnerable or it isn't. Since in this case we are talking about a specific vulnerability your statement makes no sense.

What we see here (once again) is a security researcher trying to make his research look as newsworthy as possible by exaggerating the scope of the vulnerability he has "discovered". Of course journalists tend to fall for this ploy by simply paraphrasing the press release (some don't even do that) and doing no research at all.

2 0