Open SSL Heartbleed Bug in the Home Gateway

2 min read

You may have recently heard of a major bug in the OpenSSL implementation, widely used to provide secure communications on the web. This vulnerability is fairly widespread, but has been corrected and will be fixed as more systems are patched. We also made an example capture and explanation of the bug and a packet capture of the attack in action at our CloudShark Appliance website.

The security community quickly moved on this vulnerability, and in addition to the OpenSSL patch that is available to fix the problem, there have been several tools built to test servers for the Heartbleed vulnerability.

But what about home devices? Gateways and other home networking devices that use the OpenSSL implementation of TLS may be vulnerable to the bug. Most significantly, if your device’s user interface is web based and uses HTTPS, then implementations using the OpenSSL library may be vulnerable to an attacker who wants access to the device, particularly its security keys. In addition, devices that support TR-069 using TLS may be vulnerable if they use the OpenSSL library for CWMP.

Use of OpenSSL to implement TLS for these services is widespread in the industry, and we have already uncovered vulnerable devices in our own testing.

We took this into account with a special set of test cases as part of CDRouter’s core test suite. The new heartbleed.tcl test module verifies both HTTPS web management connections and TR-069 HTTPS connections (which may be subject to “reverse heartbleed”).

We are interested in hearing from the home networking community on the specific ways our industry may have been affected by this far-reaching security flaw.