Heartbleed and Home Routers

HeartbleedThere’s been a lot of talk lately about the Heartbleed bug which affects systems that depend on the OpenSSL library. This bug could possibly allow unauthorized people to gain access to data that they shouldn’t in a supposedly secure and encrypted connection. Because of this bug, many websites that depended on OpenSSL to manage their secure SSL connections were closed down while the problem was being fixed.

(BTW, if you have no background in computers and want to understand the Heartbleed bug in about 15 seconds, it’s all explained here.)

Many routers have OpenSSL embedded in them, and thus have a vulnerability. Most of these routers are used in large sever installations and aren’t really a problem for the home user. A good place to start to find out the vulnerability of certain routers is here.

But what about home routers? Tripwire has a very good guide for diagnosing and dealing with Heartbleed on home networking equipment. It is worth doing a little digging on the internet to see if you’re equipment is vulnerable.

And what if it is? Well, for most people the answer is that it really doesn’t matter. Why? Well, think about it. What’s OpenSSL doing on a router in the first place? It’s there to be an endpoint for secure communication to and from the router. For instance, if you’ve enabled Remote Administration on your router and want to access it securely over an SSL connection, the SSL implementation on the router would be used. If that implementation happens to be a vulnerable version of OpenSSL then you have a problem.

However, if you have Remote Administration enabled on your router, you’re already exposed yourself to more security issues than you’d care to admit. So having OpenSSL running is sort of like jumping over a bus on your motorcycle while not wearing a helmet. No helmet is generally considered pretty dangerous, but it kind of doesn’t matter when doing something so much more dangerous. Likewise, enabling Remote Administration is so dangerous that adding a little extra vulnerablity isn’t going to really matter.