The Internet bug Heartbleed doesn’t just affect websites. It also has shown up in the gadgets we use to connect to the Internet.
Tech giants Cisco (CSCO, Fortune 500) and Juniper (JNPR) have identified about two dozen networking devices affected by Heartbleed, including servers, routers, switches, phones and video cameras used by small and large businesses everywhere. The companies are also reviewing dozens more devices to determine whether they’re impacted by the bug as well.
That means for two years now, someone could have been able to tap your phone calls and voicemails at work, all your emails and entire sessions at your computer or iPhone. You also could have been compromised if you logged into work from home remotely. And you’ll probably never know if you were hacked.
“That’s why this is being dubbed the biggest exploit of the last 12 years. It’s so big and encompassing,” said Sam Bowling, a senior infrastructure engineer at the web hosting service Singlehop.
What does exposure actually mean? What could be hacked? Here is a rundown, provided by researchers at security provider SilverSky and Singlehop.
- Work phone: At least four types of Cisco IP phones were affected. If the phones are not behind a protective network firewall, someone could use Heartbleed to tap into your phone’s memory banks. That would yield audio snippets of your conversation, your voicemail password and call log.
- Company video conference: Some versions of Cisco’s WebEx service are vulnerable. Hackers could grab images on the shared screen, audio and video too.
- VPN: Some versions of Juniper’s virtual private network service are compromised. If anyone tapped in, they could grab whatever is on your computer’s memory at the time. That includes entire sessions on email, banking, social media — you name it.
- Smartphone: To let employees access work files from their iPhones and Android devices, some companies opt for Cisco’s AnyConnect Secure Mobility Client app for iOS, which was impacted by Heartbleed. An outsider could have seen whatever you accessed with that app.
- Switches: One type of Cisco software that runs Internet switches is at risk. They’re notoriously hard to access, but they could let an outsider intercept traffic coming over the network.
Juniper has provided a similar list and issued a statement to customers saying, “We are working around the clock to provide fixed versions of code for our affected products.”
But fixing the bug on those devices won’t be easy. Cisco and Juniper can’t just press a button and immediately replace the vulnerable software running on the machines. The onus is on each person or company using those devices. And that’s where the problem lies.
“Many small and medium businesses aren’t likely to ever upgrade, and they’re going to have a tremendous amount of exposure for a very long time,” said John Viega, an Web security expert and an executive at security provider SilverSky.
That is why changing passwords isn’t necessarily enough to overcome the potential damage caused by the Heartbleed bug. Even if a website isn’t vulnerable when communicating with its customers, the company’s servers might still be exposed.
The problem doesn’t seem to be widespread on the consumer side, though. Linksys and D-Link make many of the routers we use to connect to the Web from home, and they say none of their devices are affected. Netgear (NTGR) said its in-home routers are not vulnerable to Heartbleed, but its business-class ReadyNAS storage products are — so customers must update their firmware to be safe.