Heartbleed bug spreads to routers and other gear

The vulnerability that has online companies scrambling also affects the equipment that connects the Web.

By MSN Money Partner 

 

By Danny Yadron, The Wall Street Journal

The encryption bug that has the Internet on high alert also affects the equipment that connects the Web.

Cisco Systems (CSCO -2.03%) and Juniper Networks (JNPR -1.82%), two of the largest manufacturers of network equipment, said Thursday that some of their products contain the "Heartbleed" bug, meaning hackers might be able to capture user names, passwords and other sensitive information as it moves across corporate networks, home networks and the Internet.

Many websites -- including those run by Yahoo (YHOO -4.22%), Amazon.com (AMZN -4.43%) and Netflix (NFLX -5.18%) -- quickly fixed the hole after it was disclosed Monday. But Cisco and Juniper said the security flaw affects routers, switches and firewalls used in businesses and at home.

These devices likely will be more difficult to fix. The process involves more steps and businesses are less likely to check the status of network equipment, security experts said.

Bruce Schneier, a cybersecurity researcher and cryptographer, said, "The upgrade path is going to involve trash can, a credit card, and a trip to Best Buy."

To be sure, the products available at retail stores now likely were shipped before the bug was revealed on Monday, and may also contain the defective software, from an encryption code known as OpenSSL.

Companies often use firewalls and virtual private networks to protect their computer systems. But if the machines that run the firewalls and virtual private networks are affected by the Heartbleed bug, attackers could use them to infiltrate a network, said Matthew Green, an encryption expert at Johns Hopkins University.

"It's pretty bad," Green said. "Lots and lots of people connect to these things."

Green and others said the bug likely affects some home-networking equipment, such as wireless routers.

In a customer bulletin updated Thursday, Cisco told clients that 66 products are "affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve" potentially sensitive information.

Cisco said it would update customers when it has software patches. In the meantime, its security researchers offered users software that it said would detect hackers exploiting the bug. A Cisco spokesman referred a query to the bulletin on its website.

Juniper said the process of updating its equipment might be lengthy. "It doesn't sound like a flip-the-switch sort of thing," said Corey Olfert, a Juniper spokesman. "I don't know how quickly they can be resolved."

To keep prying eyes out, websites and network equipment use encryption to turn sensitive information into a jumble or unreadable text. Since writing encryption code is complex, developers often use a free, open-source version called OpenSSL. It's a barebones project managed by four European coders.

The Heartbleed bug -- first introduced into OpenSSL two years ago -- allows hackers to grab bits of data from servers and equipment after it has been decrypted.