A security bug uncovered this week affects an estimated two-thirds of websites and has Internet users scrambling to understand the problem and update their online passwords. But many systems vulnerable to the flaw are out of public view and are unlikely to get fixed.
OpenSSL, in which the bug, known as Heartbleed, was found, is widely used in software that connects devices in homes, offices, and industrial settings to the Internet. The Heartbleed flaw could live on for years in devices like networking hardware, home automation systems, and even critical industrial-control systems, because they are infrequently updated.
Network-connected devices often run a basic Web server to let an administrator access online control panels. In many cases, these servers are secured using OpenSSL and their software will need updating, says Philip Lieberman, president of security company Lieberman Software. However, this is unlikely to be a priority. “The manufacturers of these devices will not release patches for the vast majority of their devices, and consumers will patch an insignificant number of devices.”
Cable boxes and home Internet routers are just two of the major classes of devices likely to be affected, says Lieberman. “ISPs now have millions of these devices with this bug in them,” he says.
MIT Technology Review:
Widespread Bug Will Linger On in Unpatched Devices
Money.CNN.com: Heartbleed bug: What you need to know
LA Times: 'Heartbleed' bug could undermine years of work to build public trust