When the Heartbleed vulnerability made headlines last spring, Internet companies went into a frenzy: Creating patches, moving away from OpenSSL, and warning users to reset their passwords.
But while we haven’t heard much about it lately — and many servers have been updated to avoid it — Heartbleed is still very much a problem.
The problem is that OpenSSL is in everything.
“It’s an infrastructure hack, and it’s deep … it puts into question everything that we use on the Internet,” said Sami Nassar, VP of authentication products at secure element chip maker NXP.
He calls Heartbleed the death knell for SSL. While some will argue that SSL became obsolete a long time ago, its use is still pervasive. So what’s scary to Nassar is that though the news cycle around Heartbleed ended long ago, the damages are still ravaging on.
A quick refresher
OpenSSL is an open-source implementation of cryptographic protocols that secure communications on the web. It’s one of the protocols your browser can use to communicate securely with a server whenever you see the little “lock” icon.
Heartbleed is a vulnerability in OpenSSL that allows an attacker to read the server’s memory of whatever OpenSSL is protecting. So an attacker could use Heartbleed to see your username and password as well as chat and email communications, among other things.
David Chartier of Codenomicon, which discovered and named the vulnerability, says the continued risk is partly due to a lack of procedure for how to deal with vulnerabilities in the wild.
“I think a lot of people upgraded [their servers], but it took a long time to upgrade and renew those encryption certificates,” he says.
Was it possible that people changed their passwords too early? If consumers reset their passwords before a given service or application was able to fully upgrade their security protocols, then the password change was useless. A hacker could have conceivably used OpenSSL to view updated passwords before new encryption certificates were in place.
Lots of gaps
Chartier says that a majority of servers at this point have been secured, but it’s hard to know where gaps are. OpenSSL isn’t only used in servers — it’s everywhere.
“We’re finding lots of embedded devices and applications that have vulnerable Heartbleed applications that the people don’t know for whatever reason,” says Chartier.
His company, Codenomicon, scans businesses networks and applications for known vulnerabilities. Recently, Chartier showed me a scan to give me an idea of the scale of security flaws what he encounters on a regular basis.
A scan of a car software company revealed 53,000 vulnerabilities, one of which was OpenSSL. (Yes, OpenSSL is in your car’s computer.) In most cases, car manufacturers cannot push out updates to your car automatically. Rather, they’d have to call car owners into the shop to have the vehicles’ software updated manually. That’s if they even know that there’s a vulnerability within the software.
Why you should care
You may be thinking, “so what?” It’s true that cars don’t store sensitive information.
On its own, a Heartbleed vulnerability could leak information about your car’s location and other telemetrics. But in tandem with other vulnerabilities, Heartbleed becomes a lot scarier.
“If I were a bad guy, I [would] ask what the building blocks [are] of the software I’m attacking,” says Chartier. The Heartbleed bug could give a hacker an overview of your car’s computer system, so they could search for other flaws — potentially taking remote control of your vehicle.
That scenario is farfetched, if for no other reason than a hacker would have to want to target your car in particular in order to pull something like that off. So let’s use a more tangible example: your office printer. If you have a wireless printer, it probably connects to your enterprise network and it is probably secured with OpenSSL. A Heartbleed vulnerability could give an attacker access to printer’s username and password as well as documents sent to the printer. Again, the printer probably hasn’t been updated — because no one even realizes it has OpenSSL.
A possible legislative fix
Software is built on lots of different pieces of code, some proprietary and some open-source, but rarely entirely created from scratch. Often, developers will use code created by someone else in the company, to avoid redundancies. But if that code hasn’t been updated in a while, it might have vulnerabilities.
Those vulnerabilities are hard to spot, because there’s no uniform “nutrition” label for software. However, a new bill called the Cyber Supply Chain Management and Transparency Act of 2014, would require software makers to provide a bill of materials for all the code components used in the software. This way, when a new vulnerability arises, companies can more easily know whether they need to take action and how.
Will this law solve software vulnerabilities? No. But it’s a start.