Efforts to fix the notorious Heartbleed bug threaten to cause major disruptions to the Internet over the next several weeks as companies scramble to repair encryption systems on hundreds of thousands of Web sites at the same time, security experts say.
Estimates of the severity of the bug’s damage have mounted almost daily since researchers announced the discovery of Heartbleed last week. What initially seemed like an inconvenient matter of changing passwords for protection now appears much more serious. New revelations suggest that skilled hackers can use the bug to create fake Web sites that mimic legitimate ones to trick consumers into handing over valuable personal information.
The sheer scale of the work required to fix this aspect of the bug — which makes it possible to steal the “security certificates” that verify a Web site is authentic — could overwhelm the systems designed to keep the Internet trustworthy.
“Imagine if we found out all at once that all the doors everybody uses are all vulnerable — they can all get broken into,” said Jason Healey, a cybersecurity scholar at the Washington-based Atlantic Council. “The kinds of bad things it enables is largely limited only by the imagination of the bad guys.”
The Heartbleed bug put many consumers’ user names and passwords at risk. Undetected for two years, the bug quietly undermined the basic security of the Internet by leaving a gap in OpenSSL, an encryption technology used widely by businesses to protect sensitive data. By some estimates, the bug affected as much as two-thirds of the Internet.
Challenge is issued
No examples have surfaced of anyone actually exploiting the vulnerability. But on Friday, Web services company CloudFlare issued an open challenge to hackers to see if Heartbleed could be used to do something really dangerous — steal the security certificates that prove Google, for instance, is really Google.
CloudFlare’s initial tests suggested it was probably impossible for an attacker to steal a site’s security certificate and lure visitors to a duplicate that looked and behaved exactly like the real version. Most browsers block access to sites detected to be illegitimate, but a stolen certificate could bypass that security measure.
For the challenge, CloudFlare urged Internet users to run their own tests on a dummy server with the Heartbleed bug. Hackers had to steal the security certificate from the server, then send a message to CloudFlare that was “signed” with the certificate in order to prove they had obtained it. Within nine hours of the challenge’s launch — and three hours after he began working on the problem — a hacker named Fedor Indutny became the first to crack the code.
“It was just a fun way of spending Friday evening time, and a good chance to try my skills in a legal hacking action,” Indutny wrote in an e-mail to The Washington Post.
One Android version remains vulnerable
SAN FRANCISCO — Millions of smartphones and tablets running Google’s Android operating system have the Heartbleed software bug, in a sign of how broadly the flaw extends beyond the Internet and into devices.
While Google said in a blog post on April 9 that all versions of Android are immune to the flaw, it added that the “limited exception” was one version dubbed 4.1.1, which was released in 2012.
Security researchers said that version of Android is still used in millions of smartphones and tablets, including popular models made by Samsung Electronics Co., HTC Corp. and other manufacturers. Google statistics show that 34 percent of Android devices use variations of the 4.1 software. The company said less than 10 percent of active devices are vulnerable. More than 900 million Android devices have been activated worldwide.
The Heartbleed vulnerability was made public earlier this week and can expose people to hacking of their passwords and other sensitive information. While a fix was simultaneously made available and quickly implemented by the majority of Internet properties that were vulnerable to the bug, there is no easy solution for Android gadgets that carry the flaw, security experts said. Even though Google has provided a patch, the company said it is up to handset makers and wireless carriers to update the devices.
“One of the major issues with Android is the update cycle is really long,” said Michael Shaulov, chief executive officer and co-founder of Lacoon Security, a cyber-security company focused on advanced mobile threats. “The device manufacturers and the carriers need to do something with the patch, and that’s usually a really long process.”
Christopher Katsaros, a spokesman for Mountain View, Calif.-based Google, confirmed there are millions of Android 4.1.1 devices. He pointed to an earlier statement by the company, in which it said it has “assessed the SSL vulnerability and applied patches to key Google services.”
Microsoft said Sunday that the Windows and Windows Phone operating systems and most services aren’t affected.
Apple Inc. didn’t respond to messages seeking comment.