Heartbleed computer bug danger spreads to firewalls, phones and e-mail servers

Risk posed by computer bug more widespread than thought, with phones, e-mail servers,and security products possibly vulnerable

PUBLISHED : Friday, 11 April, 2014, 10:48pm
UPDATED : Friday, 11 April, 2014, 10:48pm

Hackers could crack e-mail systems, security firewalls and possibly mobile phones through the "Heartbleed" computer bug, say security experts.

And they warned that the risks posed by the bug extend beyond just internet web servers.

Heartbleed surfaced on Monday, when it was disclosed that a flaw in a widely used encryption programme known as OpenSSL had exposed hundreds of thousands of websites to data theft.

Developers rushed out patches to fix affected servers, with companies including Amazon, Google and Yahoo affected.

Yet pieces of vulnerable OpenSSL code can be found inside e-mail servers, ordinary PCs, phones and even security products such as firewalls.

Developers of those products are scrambling to figure out whether they are vulnerable and patch them to keep users safe.

"I am waiting for a patch," said Jeff Moss, a security adviser to the US Department of Homeland Security and founder of the Def Con hacking conference.

Def Con's network uses an enterprise firewall from McAfee, which is owned by Intel Corp's security division.

He said he was frustrated because people had figured out that his e-mail and web traffic is vulnerable and posted about it on the internet - but he can't take steps to remedy the problem until Intel releases a patch.

"Everybody is going through the exact same thing I'm going through, if you are going through a vendor fix," he said.

In a company blog, Intel said: "We understand this is a difficult time for businesses as they scramble to update multiple products from multiple vendors in the coming weeks.

"The McAfee products that use affected versions of OpenSSL are vulnerable and need to be updated." It did not say when they would be released.

The Heartbleed vulnerability went undetected for about two years and can be exploited without leaving a trace.

Experts and consumers fear attackers may have compromised large numbers of networks without their knowledge.

Companies and government agencies are now rushing to understand which products are vulnerable, then set priorities for fixing them. They are anxious because researchers have observed sophisticated hacking groups conducting scans of the internet this week in search of vulnerable servers.

"Every security person is talking about this," said Chris Morales, practice manager with the cybersecurity firm NSS Labs.

Cisco Systems, the world's biggest telecommunications equipment provider, said it was reviewing scores of products to see if they are safe.

It uncovered about a dozen that are vulnerable, including a TelePresence video conferencing server, a version of the IOS software for managing routers.

The Hong Kong Computer Emergency Response Team (HKCERT) said it did not know how many local servers had been affected, but advised internet users to take precautions.

Senior consultant Leung Siu-cheong said: "I believe a considerable amount of Hong Kong people would be affected for using international websites."

HKCERT has uploaded a tool on its website for the public to check whether a particular site is affected by the problem.

He said the website owner should check the site and, if affected, fix the problem immediately with a patch.

If any individual internet user has visited any affected website, they should change their login passwords as a precaution after the site has fixed the problem, or else they risk exposing their private information to hackers.

Additional reporting by Emily Tsang