PRINCETON, N.J.—Three years after it was discovered, the Heartbleed bug has yet to burn out, a new report reveals.
A report from Shodan, a search engine for Internet-connected devices, says that a Jan. 22 search identified 199,594 Internet-connected devices that still remain vulnerable to the Heartbleed bug, Bank Info Security reported.
Heartbleed is the nickname for a vulnerability in OpenSSL, an open-source implementation of the SSL and TLS protocols that's used to secure data sent between clients and servers. The bug was jointly discovered by security firm Codenomicon and Google and publicly detailed in 2014, when related patches and fixes released, Bank Info Security explained. Heartbleed was a major concern among banks and credit unions a few years ago.
“Since the bug was first publicized on April 7, 2014, multiple researchers – including Robert David Graham, who heads research firm Errata Security – have been scanning the Internet to count how many Internet-connected servers that respond with a valid SSL connection appear to be vulnerable to Heartbleed,” Bank Info Security reported.
Bank Info Security reported stated that ongoing scans have found:
- April 2014: As of April 9, 2014, Graham reported finding an estimated 600,000 Heartbleed-vulnerable servers connected to the Internet.
- May 2014: One month later, Graham reported finding about 320,000 servers that were still vulnerable to Heartbleed.
- January 2015: Graham's scans found 250,000 servers and other systems that connect to the Internet that were still vulnerable to Heartbleed.
- May 2016: Security researcher Billy Rios told Bank Info Security that he'd found about 200,000 vulnerable servers.
- Jan. 30, 2017: The most recent Shodan search reported that the number of Heartbleed-vulnerable devices had dropped to about 180,000, meaning that about 20,000 were apparently remediated after the Jan. 22 Shodan report came out.