The Heartbleed Bug Will Lurk in the Internet of Things for Decades
While the majority of Heartbleed holes will be plugged quickly, many devices aren't capable of being fixed.
The internet is still reeling from the Heartbleed bug discovered this week, which ripped a hole in the popular OpenSSL encryption library that left web servers bleeding out buckets of data—and not just any data, the kind of data people had specifically taken pains to protect: private information, passwords, cryptographic keys, security certificates, and so on.
But with all eyes trained on the huge swatch of the web that was found vulnerable to the nasty bug, let's not forget that thousands of network-connected devices, the nascent Internet of Things, are also embedded with OpenSSL. And unlike the Yahoos and Googles, which have already upgraded to the fixed version of OpenSSL, the infrastructure of the web is even less secure. It will be significantly harder to stop the bleeding in hardware devices, experts say, and in many cases will never be patched at all.
Anything from industry IT equipment to home automation systems are vulnerable: wireless routers, cable boxes, security cameras, and an array of smart gadgets.
"Any sufficiently large organization is unaware of all the sorts of equipment they've got attached to the internet,” Robert David Graham, a researcher at Errata Security, told me. In scans of the deep web, the 90 percent of the internet that's not indexed by Google, he's found thousands of devices connected to the web without the manufacturer or consumer's knowledge.
OpenSSL is widely used in software that connects these devices to the network. In an interview with MIT Technology Review, Jonathan Sander from STEALTHbits Technologies compared the cryptographic library to an engine part that's in every kind of vehicle that comes off the production line, from a golf cart to a scooter. If a devices was shipped out before Heartbleed was discovered Tuesday, it's vulnerable to attack, and unless its software is designed to receive regular updates, it will probably stay exposed for a very long time.
"People aren't going to upgrade so they're going to leave systems untouched on the internet, exposing things that'll never be fixed," Graham said.
In a nutshell, it means the Internet of Things is going to be much easier to attack—and it was already pretty damn easy.
"It makes all hacking more likely than it was before," said Graham. "If you take the rate of hacking that happens today, this will double it."
So, if a malicious attacker wanted to get a hold of your password to break into your bank account, or spy on a huge corporation, a device exposed to the Heartbleed bug is now a very attractive way in. If a business fixes the bug on their major website but leaves it on their devices—say, wireless routers—then hackers can break into those devices, snatch the keys and login information being transferred, and use them to grab the data from the major website.
"10 years from now you're going to have a factory blow up or something because someone has been able to exploit this bug."
For the rest of us, the average netizen that's not running a web enterprise, the outlook is a bit brighter. Jon Callas, CTO of Silent Circle, told me that most consumer smart gadgets probably aren't vulnerable to Heartbleed, because no one bothered to encrypt them in the first place. “Ironically, the good news is there's probably not a lot of security on it at all," he said.
The fact that so many connected devices and home automation systems don't have any security built in "has been sort of the minor scandal behind the scenes" in the IoT space, he said. But in this particular case, those companies have dodged a bullet.
A relatively complex device like a set-top box, like Roku or Chromecast, is more likely to be built with an encrypted connection, to protect the purchases and content in the system. But something like a connected toothbrush that’s paired with your smartphone? Probably not.
Meanwhile, major IT firms like Cisco or Juniper, will make the effort to upgrade their systems in the coming weeks. "People who do network testing are now going to be testing for devices lying around that were not upgraded," he said. Cisco said it’s currently reviewing its products and found 13 vulnerable products so far.
That still leaves plenty of devices embedded with OpenSSL that won’t get a fix—and it’s not hard to find them. Just as security researchers are now testing web servers and embedded equipment for the bug, rest-assured hackers are too. What they do with that all-access pass is a different story.
Callas likens it to leaving your keys at a coffee shop. If someone steals your keys, they could theoretically break into your house, take your car, and rob you blind. But first they have to figure out where you live. Hackers with your encryption keys also have some leg work to do before they can waltz into your bank account and take off to the Caribbean.
The New York Times reported that, since the discovery of the bug, there hasn't been an uptick of stolen passwords on the black market. But Graham believes we won't know the full impact of this bug for many years to come.
"This is a long tail curve," he said. Most of the systems got updated this week, but even decades from now might see systems that are still bleeding data—"very few, but it'll still exist, somewhere on the internet," Graham said. "And 10 years from now you're going to have a factory blow up or something because someone has been able to exploit this bug."
The worst-case scenario is always easy to imagine, if improbable; Heartbleed just makes the unlikely a little less unlikely. "Asteroids don't hit the Earth that often," he said.