TIME Security

Heartbleeding Out: Internet Security Bug Even Worse Than First Believed

Warnings from Cisco and Juniper suggest the encryption bug is much more widespread—and potentially catastrophic—than initially thought as the networking companies check the vulnerability of their browsers

The Heartbleed Internet security bug is shaping up to be worse than researchers first realized, possibly compromising routers and other networking infrastructure for a variety of companies.

Cisco, one of the world’s top networking equipment manufacturers, confirmed Thursday that it’s investigating dozens of its routers and video teleconferencing devices and software for the Heartbleed vulnerability. Juniper Networks, another top networking company, has also alerted clients some of its equipment has been compromised by Heartbleed. A message posted to Juniper’s service website Friday said many of its systems would be offline through Saturday while the company performs maintenance.

Cisco and Juniper have warned that detecting and closing the Heartbleed vulnerability in their equipment won’t happen overnight, leaving the companies’ clients in a state of anxious limbo as they work to determine if any of their data has been compromised.

The Heartbleed vulnerability takes advantage of a flaw in OpenSSL, a free encryption protocol used by thousands of websites around the world to protect visitors’ sensitive data, such as usernames and passwords. Heartbleed essentially lets hackers get an undetectable look at the data transmitted between a user and a server after it’s been decrypted.

Heartbleed was introduced to OpenSSL about two years ago, but only became public knowledge this week. That disclosure forced many companies to scramble to patch their code before hackers could take advantage of the flaw. Many experts first believed Heartbleed’s impact might be limited to web servers, but Cisco’s and Juniper’s announcements suggest the bug is much more widespread—and potentially catastrophic—than initially thought.

The Department of Homeland Security said Friday that public-facing federal websites aren’t affected by the Heartbleed vulnerability. The government is also “continuing to coordinate across agencies” to keep federal websites protected from the bug, DHS said.

Your browser, Internet Explorer 8 or below, is out of date. It has known security flaws and may not display all features of this and other websites.

Learn how to update your browser