April 11, 2014 1:36 pm

Heartbleed bug affecting networking hardware, mobile apps and more

The Heartbleed bug was discovered independently by researchers at Google Inc. and the Finnish security firm Codenomicon.

Screenshot/Heartbleed.com

TORONTO – It’s no longer just websites and online service providers who are being affected by what some are calling the biggest security threat the Internet has ever faced – firewalls, networking hardware and mobile apps are vulnerable too.

Story continues below

Cisco Systems, the world’s biggest telecommunications equipment maker, said it’s reviewing dozens of products to see if they are affected by Heartbleed. The company has already confirmed that some of its products including firewalls, routers, and switches are affected.

Other networking hardware providers including Juniper Networks and Fortigate have also issued security alerts stating some of their products are affected by the bug.

According to a report by Reuters, a Microsoft spokesperson confirmed that “a few services continue to be reviewed and updated with further protections,” but did not name what services. Though some online gaming services have been affected by the flaw, Microsoft’s Xbox Live system was unaffected.

READ MORE: Federal public websites disabled due to bug

Since news of the widespread bug broke late Monday, websites and online services have been scrambling to patch websites in order to fix the vulnerability.

The flaw affects OpenSSL – a widely used open-source set of libraries for encrypting online services.

Heartbleed creates an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and “https:” on Web browsers to show that traffic is secure. The flaw makes it possible to snoop on Internet traffic even if the padlock is closed.

What makes it more frightening is that hackers could also grab the keys for deciphering encrypted data and leave no trace of ever being there.

READ MORE: Banks say defences in place to keep info safe from ‘Heartbleed’

Software security firm Trend Micro warned users that mobile apps are also affected by the massive vulnerability because they connect to the vulnerable servers and web services.

“Suppose you’re just about to pay for an in-app purchase, and to do so you need to input your credit card details. You do so, and the mobile app finishes the transaction for you. While you’re getting on with your game, your credit card data is stored in the server that the mobile app did the transaction with, and may stay there for an indeterminate period of time,” read a post on the Trend Micro blog.

“As such, cybercriminals can take advantage of the Heartbleed bug to target that server and milk it of information (like your credit card number). It’s as simple and easy as that.”

Apps that do not have in-app purchase capabilities are also left vulnerable to Heartbleed if they connect to an online server that happens to be affected by the flaw.

Trend Micro scanned 390,000 apps found on the Google Play store and found almost 1,300 apps were connected to vulnerable servers.

German developer admits to writing the code responsible for Heartbleed

On Friday, German software developer Robin Seggelmann admitted to writing the line of code that contained the Heartbleed error.

Despite reports that someone may have allowed the flaw to be added to the OpenSSL software deliberately, the developer said that the flaw was “unfortunately missed” by both himself and a reviewer when it was added to OpenSSL over two years ago.

READ MORE: Heartbleed may lead to more security audits, advanced security services

“It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project,” Robin Seggelmann said in an interview with the Sydney Morning Herald.

“I was working on improving OpenSSL and submitted numerous bug fixes and added new features. In one of the new features, unfortunately, I missed validating a variable containing a length.”

According to the interview, the developer said the error was “quite trivial,” but recognized that its overall impact has been severe.

© Shaw Media, 2014

Report an error

Comments