If you thought changing a few passwords would be enough to defeat the Heartbleed vulnerability — think again. The security bug also appears to affect networking hardware made by one of the world's largest manufacturers, Cisco.
Over a dozen Cisco products or services are thought to be vulnerable to Heartbleed, the company confirmed Thursday. The list includes videoconferencing products and a mobile client for Apple's iOS, among others. In addition, the Wall Street Journal reported Thursday that the Heartbleed bug extends to products made by Juniper Networks.
Because of the ubiquity of these manufacturers' equipment, particularly among businesses, it appears the threat posed by Heartbleed isn't diminishing anytime soon. Addressing the vulnerability will likely require replacing the bad hardware altogether — a potentially costly and laborious process, security analyst Bruce Schneier told the Wall Street Journal. Even then, many of the available models likely went to market before Heartbleed had ever been discovered, so those may also be unpatched.
As many as 65 other Cisco products are being investigated for evidence of the bug, the company said.
The security vulnerability takes place in an encryption protocol known as OpenSSL, a technology that many businesses use to protect sensitive information such as usernames and passwords. For many consumers, Heartbleed means their credentials are at risk of being stolen. Google, Yahoo, Facebook and other tech companies scrambled this week to patch their services. If you're a customer of one of these companies and you haven't changed your passwords, do it now.
Unfortunately, the fact that major networking companies have also succumbed to the flaw suggests that we have a bigger problem on our hands than a few new passwords can fix.