Heartbleed is far from dead. 200,000+ vulnerable devices on the internet

Graham Cluley
Graham Cluley
@[email protected]

HeartbleedRemember Heartbleed? Of course you do.

After all, it was the first serious security vulnerability to have a really cool logo.

The Heartbleed vulnerability was uncovered in April 2014, revealing a serious vulnerability in OpenSSL – the cryptographic software library which was supposed to keep information safe and secure, but instead could have helped hackers steal information such as passwords.

After all the hullabaloo about Heartbleed, and the action taken by many IT professionals in the wake of the Heartbleed announcement, you would like to think that almost 18 months later the problem has gone away.

Sign up to our free newsletter.
Security news, advice, and tips.

But take a look at this map of Heartbleed-vulnerable devices around the world.

Heartbleed map

The map was tweeted earlier today by John Matherly, the founder of Shodan, a search engine for the internet of things.

Unlike a regular search engine like Google or Yahoo, Shodan doesn’t search for words. Instead, it searches for the technical characteristics of devices attached to the net – including devices that traditional search engines are likely to ignore.

The Shodan search engine makes it simple for anyone to search the internet for anything which might be connected – whether it be a web server, a webcam, baby monitors, routers, a traffic lights, home heating systems or a SCADA industrial control system.

And the use of filters can even allow you to hone down your search to specific parts of the world.

Of course, if these internet-connected devices haven’t been properly secured (perhaps they have weak default passwords, or contain security holes that can be exploited) then Shodan may have just helped a malicious attacker identify a potential target.

However, as with many things in the world of computer security, there’s another side of the coin. IT teams can use tools like Shodan to help them check their company’s security, testing with various filters to determine if web servers – for instance – are running a particular version of Apache, or if devices which shouldn’t be visible to the outside world are revealing their existence online.

Clearly, some manufacturers and IT teams have dropped the ball, and failed to update vulnerable systems

My bet is that there will always be devices attached to the internet which are vulnerable to Heartbleed.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

3 comments on “Heartbleed is far from dead. 200,000+ vulnerable devices on the internet”

  1. coyote

    "My bet is that there will always be devices attached to the internet which are vulnerable to Heartbleed."

    Just like Linux boxen running kernel <= 2.4, and just like Windows 9x and other Windows that have long (or recently) past their EOL. Also, using TELNET for remote system login instead of ssh (or encrypted TELNET via a tunnel or specific telopt commands/etc. – the latter of which is rare to say the least). And just like using the r* services that you can use to root (or get shell access which can then lead to root) a box without a password, and the list goes on – ad infinitum.

    It is a scary thing but many administrators simply do not care. I refuse to believe some of these are from ignorance because they are so old that they could not have missed it this long. Even newer products part of the 'IoT' include some of these problems and that is pure negligence. It is madness but it fits in this world quite well, unfortunate as it is.

  2. David L

    This issue only highlights a larger problem. That being incomplete mitigation efforts. Many people don't patch or upgrade for a multitude of reasons,but the lack of information after the initial blitze of media reports will lead many to believe that all is well again. At least the infosec community has made good progress on getting the information into the mainstream , but sadly, you can not make the people take action. As one friend of mine said, "sometimes,stupid has to pay"!

    1. coyote · in reply to David L

      "but the lack of information after the initial blitze of media reports will lead many to believe that all is well again."

      That is because many assume things much more than they would like to believe. The news is about the exploit itself – not any attacks because of it (although this happens initially you cannot expect it to continue; if it did it would be much harder to keep track of everything including new risks). This is how it goes with everything in this world; things (except perhaps governments and a few other inept things/entities) tend to evolve and progress. This is ideal (living in the past is unhealthy).

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.