Figures from IoT search engine Shodan suggest not all devices have been patched while experts ponder whether Heartbleed will ever be eliminated
The notorious ‘Heartbleed’ vulnerability that caused widespread panic last year is still present on 200,000 connected devices, according to figures from IoT search engine Shodon.
Heartbleed affects OpenSSL, a widely used open source technology used by many websites and applications to safeguard customer data, and compromises any protection by allowing attackers to obtain encryption keys.
Following its discovery in April 2014, vendors and developers rushed to patch Heartbleed, while many major IT firms offered additional support to open source technologies, many of which don’t receive funding in proportion to their importance.
To put it into perspective, it was estimated that on 10 April 2014, there were 220 million mobile apps sitting on Android phones containing the flaw.
However 18 months on and it appears not everything has been patched. A map Tweeted by Shodon founder John Matherly claims there are 57,272 unprotected devices in the US, 21,660 in Germany, 11,300 in China, 10,094 in France and 9,125 in the UK.
Shodon is able to search for devices and reveals the technical characteristics of anything connected to the web. It can even do so by geographical region, potentially giving attackers potential targets, but also giving administrators a heads-up that not all of their systems are protected.
“The Shodan search results also tell you when a device is vulnerable to Heartbleed (as well as other SSL info),” said Matherly.
Security expert Graham Clulely agrees the search engine can help identify security threats and also help IT teams see if devices are visible to the outside world when they shouldn’t be.
“IT teams can use tools like Shodan to help them check their company’s security, testing with various filters to determine if web servers – for instance – are running a particular version of Apache, or if devices which shouldn’t be visible to the outside world are revealing their existence online,” he said.
“Clearly, some manufacturers and IT teams have dropped the ball, and failed to update vulnerable systems. My bet is that there will always be devices attached to the internet which are vulnerable to Heartbleed.”
How well do you know open source software? Take our quiz!