Our daily dataย traffic on the Internetย has reached dimensions which can hardly be put into numbers. For example, in June 2014, an average of 1.7 Tbit/s of data has been transmitted at the German DE-CIX (the largest Internet exchange point worldwide, situated in Frankfurt). Indeed, numerous transactions related to critical applications such as financial or personal data are conducted. Whether stock market transactions, online shopping or home banking, anyone who carries out such transactions counts implicitly thatย security, integrity and authenticity are guaranteed at any time.
For years, such processes and methods have been well established on the basis of deploying according technologies which permit to appropriately encrypt and secure data transmissions. Here, the use of SSL has become a quasi-standard.
However, it has also turned out thatย web server, NAS, gateways and routers, due to an implementation error are vulnerable, asย sensitive dataย can be retrieved without being able to detect the spying of data as an attack. Furthermore, particularly worrying is that a variety of services which protect their data, typicallyย via SSL/TLS, are affected. This also includes e-mails (POPS, IMAPS, SMTP with STARTTLS).
Anatomy of a โheart defectโ
ย By looking closely at the problem, one realizes that the actual error is comparatively simple. In order to maintain a communication, so-calledย heart beatsย will be sent out between the communicating partners. In this process theย sender transmits dataย (payload)ย to the receiverย who in return sends the data back.
The problem, however, results from the fact that the receiver does not verify how much data has actually been sent. This means, if the senderย โliesโย and actually only sends one single byte but claims to send 16 Kbyte, the receiver responds willingly by sending back data from its random access memory. This results inย phishingย the random access memory of the remote station by the attacker.
If someone uses this procedure systematically and with high computing power, large quantities of credit card information and passwords can be gathered and spied upon.ย Furthermore, it was possible to get to the innermost part of servers in order to spy out the private key. The consequence would be that perfect imitations of servers can be placed on the Internet and the users wonโt notice because they wonโt get a warning message of faked certificates.
Is it possible for your data security to recover from a โheart attackโ?
Users and people affected are in a rather uncertain situation. Concerning the systems to which we have access, we have to explore as soon as possible whether aย serious threatย exists. This can be carried out in cooperation with the correspondingย manufacturer.
If this is the case,ย appropriate measuresย have to be taken quickly in order to update the affected systems. In this context, it is also advisable to replace theย digital certificatesย and to declare already existing certificates as invalid, although this may โonlyโ be a precaution. For services to which we do not have access, we have to rely on the respective service provider to ensure security as soon as possible. It only makes sense to change passwords, after the provider has renewed certificates.
Take security preventive measures
The use ofย Open Sourceย and especially in this case ofย OpenSSL, shows how a fundamental and critical infrastructure on the Internet can crumble overnight.
When you look behind the scenes and see how many software engineers actually work full-time on the maintenance and development, it is indeed thought-provoking.
As a manufacturer, we also ask ourselves the question,ย which is the correct way into the future?.
In none ofย Teldatยดs productsย are the software components mentioned above deployed. Nevertheless, we see it as part of our responsibility, towards our partners and clients, to keep developing our products continually and even more intensively.