Heartbleed Update: America the Vulnerable

More than 200,000 Internet-connected systems remain vulnerable to the OpenSSL vulnerability known as Heartbleed bug, more than two years after the flaw was jointly discovered by security firm Codenomicon and Google, publicly detailed, and related patches released. And the greatest number of Heartbleed-vulnerable systems are in the United States, followed distantly by China and Germany.

Those findings come via a review of 50 million Internet-connected systems that are available to unauthenticated users, and which are running SSL/TLS, that was conducted by security researcher Billy Rios, using Internet scanning data recently gathered by the Censys project at the University of Michigan during the week of May 30. His research was sponsored by security firm Synopsis, which acquired Codenomicon in 2015.

The results are depressing, since scans in January 2015 suggested that 250,000 Internet-connected systems - down from an April 2014 high of 1.5 million - remained vulnerable to Heartbleed, which involves an SSL/TLS vulnerability in OpenSSL (see Heartbleed Alert: Vulnerability Persists).

Rios says that the greatest number of Heartbleed-vulnerable systems are infrastructure-related. "Given the fact that Heartbleed is probably one of the most well-known vulnerabilities ever ... I'm actually a little surprised that folks who own this infrastructure do not realize that they're running something on the Internet that's vulnerable to such a bug," Rios says, especially since Heartbleed received massive public exposure after it was revealed in 2014.

"There's hundreds of tools to detect whether or not you're vulnerable to Heartbleed, every vulnerability management software suite that I know of has a Heartbleed check; the patches are certainly available for download and installation," he says. "There's no excuse for not knowing that you're vulnerable to Heartbleed."

Heartbleed Findings

In this interview with Information Security Media Group conducted at the Infosecurity Europe Conference in London (see audio player below photo), Rios also details:

The of prevalence of Heartbleed-vulnerable network infrastructure - routers, gateways, switches - as well as Internet-connected printers. The surprising number of industrial control system and supervisory control and data acquisition - a.k.a. ICS and SCADA - systems that have Heartbleed flaws. Why the increasing number of Internet of Things devices being shipped to market could fuel an increase in Heartbleed infections.

Rios is the founder of information security research firm WhiteScope, based in Half Moon Bay, Calif., which in May received a $200,000 grant from the U.S. Department of Homeland Security's Science and Technology Directorate to build a secure wireless communications gateway - made specifically for Internet of Things devices - that is compliant with the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standard. Previously, Rios' roles included being the director of vulnerability research and threat intelligence for Qualys, global managing director of professional services for Cylance, and as a "security ninja" for Google. He's also served as an officer in the U.S. Marines and worked as an information assurance analyst for the U.S. Defense Information Systems Agency.