Western Digital makes a tiny box where you can store all your photos and other digital stuff. It's called My Cloud, and you've probably seen the TV ads hawking the thing. It gives you a way to access your stuff from any machine, across the internet.
In the ad, while the rest of humanity is camped out atop one big giant cloud, their digital data exposed to prying eyes and sometimes vanishing altogether, one smiling woman sits on her own personal cloud -- confident all her data is completely safe. With My Cloud, Western Digital says, you too can have such confidence.
But My Cloud has a problem that belies this ad campaign. It's a big problem, and it involves Heartbleed, a flaw in a popular form of data encryption that set off alarms bells among security researchers when it was revealed earlier this month. According to Nicholas Weaver, a University of California, Berkeley computer scientist, thousands of My Cloud devices are vulnerable to the Heartbleed, and although there's a patch available, it's not clear when they'll download it.
Over the past weeks, Weaver and researchers at the University of Michigan have been scouring the internet for systems that are vulnerable to the bug, which lets hackers steal information from a machine's memory. As expected, he found that most websites have now patched the flaw, which was in a common piece of encryption software called OpenSSL. But the My Cloud is just one example of an enormous problem that continues to lurk across the net: tens of thousands of devices -- including not only My Cloud storage devices but routers, printers storage servers, firewalls, video cameras, and more -- remain vulnerable to attack.
In other words, the Internet of Things needs a patch. "It really is disturbing, the number of devices that are affected by this," Weaver says.
Over the past few weeks, individual companies and open source projects have been calling out hole after hole. "The edges of our networks -- home routers and firewalls -- everything that protects us from the bad guys is potentially vulnerable," says Dave Taht, a software developer who makes an open-source router operating system called CeroWrt that was vulnerable to the bug.
The new-age thermostat maker Nest -- now owned by Google -- says its devices used the buggy version of OpenSSL. It also says that users shouldn't be affected by the problem, but it's still preparing a fix. Some of Apple's Airport Extreme network routers and Time Capsule backup devices are affected too. Even Siemens industrial control systems -- used to manage heavy machinery in power plants and waste water facilities -- contain the bug. But that's just scratching the surface.
On Thursday, researchers at the University of Michigan began a massive internet scan to find how widespread the problem really is. The number of devices still at risk is harrowing: HP printers, Polycom video conferencing systems, WatchGuard firewalls, VMWare systems, and Synology storage servers. Weaver counts tens of thousands of users of the Parallels Plesk Panel web hosting control panel that are vulnerable too -- those could become a prime target of hackers looking to take control of websites.
Another device with a big problem is the FortiGate firewall. It's designed to help keep attackers off of the network, but thanks to Heartbleed, unpatched FortiGate systems could hand over sensitive information -- maybe even a password or a piece of data known as a session cookie, that could give the bad guys access to the firewall. The scan found 30,000 vulnerable Fortinet firewalls (Weaver cautions that his numbers are merely a ballpark estimate of the size of the problem, not definitive numbers).
We asked Fortinet how many of its customers had updated their firmware, but the company declined to comment for this story. According to Fortinet's documentation, customers need to manually update their software.
Although many vulnerable devices such as printers are tucked safe behind corporate firewalls, Nicholas Weaver found vulnerable printers accessible over the internet, including some built by HP. But even three weeks after Heartbleed was first disclosed, HP can't even say which of its printers have the bug. "HP is developing firmware updates for any consumer printing devices that may be impacted, and customers should install them when they become available," said Michael Thacker, an HP spokesman, via email. A "small number of consumer printer models are impacted."
But HP isn't alone. In fact, nobody really knows the full scope of the problem, although Weaver and the University of Michigan researchers seem to have the best data available.
What makes Heartbleed so insidious is that the same kind of hack attack can lift sensitive information from wide swaths of devices. The bug gives bad guys a way to essentially trick a vulnerable computer into dumping 64 kilobytes of memory. That memory could include useless information, or it could be an administrator's user name and password, or a session cookie that a hacker could use to get access to the device.
But things could have been much worse. Anything that needs to connect securely over the internet could have a Heartbleed problem. But Weaver and the University of Michigan team found that many devices that used OpenSSL were not vulnerable -- either because they used an old version of the software library, or because the buggy OpenSSL feature that contains the flaw wasn't enabled. "This vulnerability is only present if your devices is accepting heartbeat messages," says Zakir Durumeric, a PhD student at the University of Michigan. "And what we've found is that many devices on the internet that do not accept heartbeat messages."
That's the good news. The bad news is that many of the devices that can be hacked can only be updated manually. Typically, that means that the owner would need to log into the system, and click on an "update firmware" button.
What they researchers are finding is that even as much of the internet has patched the vulnerability, there are so many affected devices that the bug is sure to cause security headaches for years to come. "If they don't auto-update, things will be bad bad bad," Weaver says. "If they do auto update, things will resolve themselves."
