many electronics companies have a major supply chain presence there. The Chinese govern-
ment has also recently issued new regulations requiring foreign companies to reveal source
code and build backdoors into software and hardware sold to Chinese banks.
The amount of power that can be exerted by a threat agent who is able to influence instal-
ling a backdoor into an IoT device is clear—and once the knowledge of their existence is made
public, competing attackers and threat agents will seek to leverage these backdoors as well.
The Lurking Heartbleed
Heartbleed is a flaw in the OpenSSL library that can be exploited remotely to gain access to
memory on a target device, which may include stored data such as cryptographic keys and
user credentials. OpenSSL is a popular library that is used by millions of devices to imple-
ment the Transport Layer Security (TLS) protocol to securely encrypt electronic communica-
tions.
Heartbleed was announced to developers on April 1, 2014, and at the time of disclosure,
about 17 percent of Internet-facing web servers (around half a million) were estimated to be
vulnerable to attack. Bruce Schneier, a well-known security expert, described Heartbleed as a
“catastrophic” issue given how easily it can be exploited by a remote attacker to steal informa-
tion.
In addition to workstations, IoT devices such as the Nest Thermostat also use OpenSSL.
In recognition of this security issue, Nest released an update for its thermostat product and
advised its customers to change their Nest passwords in case they had been compromised
(Figure 8-3).
Heartbleed demonstrates to us the potentially catastrophic nature of a remotely exploita-
ble vulnerability that can suddenly put millions of IoT devices at risk because they utilize com-
mon source code that has a bug in it. Another issue to keep in mind here is that IoT devices
without the ability to update firmware and client software will remain vulnerable to critical
issues such as this for their lifetime, thereby putting the privacy and safety of their consumers
in danger.
CHAPTER 8: SECURELY ENABLING OUR FUTURE—A CONVERSATION ON(^240) UPCOMING ATTACK VECTORS