Skip to main content
Advertising

Originally published Friday, April 11, 2014 at 8:47 PM

  • Share:
           
  • Comments (0)
  • Print

Risk from Heartbleed bug also found in networking systems

Two of the biggest makers of networking equipment, Cisco Systems and Juniper Networks, have acknowledged that some of their products contain the Heartbleed bug, but experts warn the problem may extend to other companies and a range of Internet-connected devices such as Blu-ray players.


The Associated Press

Protect yourself

It appears the Heartbleed bug is affecting not just websites but also some networking equipment, including routers, switches and firewalls. There isn’t much consumers can do to protect themselves completely until the affected websites implement fixes; in the case of networking equipment, it could be quite a while. In the meantime, three steps to reduce the intrusion threat:

Change your passwords. This isn’t foolproof. It’ll only help if the website has put in place required security patches. You also might want to wait a week and then change your passwords again.

Check the websites you’re surfing. There’s a free add-on for the Firefox browser to check a site’s vulnerability and provide color-coded flags. Green means go and red means stop. Download it here: https://addons.mozilla.org/en-US/firefox/addon/heartbleed-checker/

Check the website of the company that made your home router to see if it has announced any problems. Also be diligent about downloading and installing software updates you may receive.

The Associated Press

Reader Comments
Hide / Show comments
Here is an idea, let's make hacking and unauthorized manipulation of individuals personal data or accounts a Federal... MORE
While this is a very bad vulnerability in SSL, the likelihood of widespread exploits is being grossly exaggerated for a... MORE
Why are you showing a detection add-on for Firefox that "has not been reviewed by Mozilla"? and contains typos and... MORE

advertising

NEW YORK — It appears the Heartbleed security problem affects not just websites but also the some of the networking equipment that connects homes and businesses to the Internet.

A defect in the security technology used by many websites and equipment makers has put millions of passwords, credit-card numbers and other personal information at risk. The extent of the damage caused by Heartbleed isn’t known. The threat went undetected for more than two years, and it’s difficult to tell if any attacks resulted from it because they don’t leave behind distinct footprints.

But now that the threat is public, there’s a good chance hackers will try to exploit it before fixes are in place, says Mike Weber, vice president of the information-technology audit and compliance firm Coalfire.

Two of the biggest makers of networking equipment, Cisco Systems and Juniper Networks, have acknowledged that some of their products contain the bug, but experts warn that the problem may extend to other companies and a range of Internet-connected devices such as Blu-ray players.

“I think this is very concerning for many people,” said Darren Hayes, professor of security and computer forensics at Pace University. “It’s going to keep security professionals very busy. ... Customers need to make sure they’re getting the answers they need.”

Cisco, the dominant provider of gear to move traffic through the Internet, said Thursday that its big routers and servers and its online servers were not affected.

Certain products the company makes were affected, it said: some kinds of phones that connect to the Internet, a kind of server that helps people conduct online meetings and another device used for office communications. Cisco also posted a list of products it had examined for the vulnerability, which it was updating as it continued inspecting its equipment.

Juniper said its main products were not affected. But a problem was found in a device for creating private communications on the Internet. “Besides one product, the exposure for our customers is minimal, if any,” said Michael Busselen, vice president of corporate communications at Juniper.

Chuck Mulloy, a spokesman for Intel, said his company had been looking through its products for vulnerabilities and had found nothing. He said, however, that the search was not done.

Qualcomm, a maker of mobile technology, said it was checking its products.

In the meantime, here’s what consumers and businesses should know about Heartbleed and its effects on networking devices.

• How is networking equipment affected?

Just like websites, the software used to run some networking equipment — such as routers, switches and firewalls — also uses the variant of SSL/TLS known as OpenSSL. OpenSSL is the set of tools that has the Heartbleed vulnerability.

As with a website, hackers could potentially use the bug as a way to breach a system and gather and steal passwords and other sensitive information.

• What can you do?

Security experts continue to advise people and businesses to change their passwords, but that won’t be enough unless the company that created the software in question has put the needed fixes in place.

When it comes to devices, this could take a while. Although websites can be fixed relatively quickly by installing a software update, device makers will have to check each product to see if it needs to be fixed.

Both Cisco Systems and Juniper Networks continue to advise customers through their websites on which products are vulnerable, fixed or unaffected. Owners may need to install software updates for products that are “fixed.”

Hayes praised Cisco and Juniper for being upfront with customers. He cautioned, though, that many other companies make similar products that likely have the bug, too, but haven’t come forward.

As a result, businesses and consumers need to check the websites for devices that they think could have problems. They must be diligent about installing any software updates they receive.

Weber says that while there are some checks companies can do to see if their networking equipment is safe, they’re largely beholden to the device makers to let them know what’s going on.

Companies also need to make sure that business partners with access to their systems aren’t compromised.

• Are other devices at risk?

Hayes said the bug could potentially affect any home device that’s connected to the Internet, including something as simple as a Wi-Fi-enabled Blu-ray player.

He also pointed to recent advances in home automation, such as smart thermostats, security and lighting systems. “We simply don’t know the extent of this and it could affect those kinds of devices in the home,” he says.

In a related development, the National Security Agency (NSA) denied a report that it has exploited Heartbleed to spy on consumers for the past two years.

“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report,” the agency said Friday. “Reports that say otherwise are wrong.”

The statement was in response to a story by Bloomberg News that claimed the NSA had known about the vulnerability in OpenSSL since it was introduced two years ago.

The Bloomberg report quoted “two people familiar with the matter” who claimed the agency had known for two years about Heartbleed and “regularly used it to gather critical intelligence.”

Material from The New York Times and Los Angeles Times is included in this report.



Want unlimited access to seattletimes.com? Subscribe now!

News where, when and how you want it

Email Icon

Career Center Blog

Career Center Blog

The power of good manners


Advertising
The Seattle Times

The door is closed, but it's not locked.

Take a minute to subscribe and continue to enjoy The Seattle Times for as little as 99 cents a week.

Subscription options ►

Already a subscriber?

We've got good news for you. Unlimited seattletimes.com content access is included with most subscriptions.

Subscriber login ►
The Seattle Times

To keep reading, you need a subscription upgrade.

We hope you have enjoyed your complimentary access. For unlimited seattletimes.com access, please upgrade your digital subscription.

Call customer service at 1.800.542.0820 for assistance with your upgrade or questions about your subscriber status.

The Seattle Times

To keep reading, you need a subscription.

We hope you have enjoyed your complimentary access. Subscribe now for unlimited access!

Subscription options ►

Already a subscriber?

We've got good news for you. Unlimited seattletimes.com content access is included with most subscriptions.

Activate Subscriber Account ►