HEARTBLEED, the security vulnerability that launched with a logo, is still a thing after all this time and is currently stuck on around 200,000 devices, some of which are in the UK.
This figure comes to us via Graham Cluley and the Shodan search outfit. Shodan specialises in studying the Internet of Things (IoT), and its founder tweeted an image and some numbers that took us right back to the Valentine's Day-type massacre.
FYI: there are still more than 200,000 devices on the Internet vulnerable to Heartbleed pic.twitter.com/fQavZJJmNW— John Matherly (@achillean) September 15, 2015
Cluley said in a blog post that the Shodan search engine is in a position to search devices for technical information, and that this is not the sort of thing you get elsewhere.
He explained that it can be used to pull information from range of items "whether it be a web server, a webcam, baby monitors, routers, traffic lights, home heating systems or a industrial control systems", which would allow it an overview of the situation.
We have asked Shodan for more information and are waiting to hear back from the firm. There is a fair whack of detail in the short tweet, though, including the fact that the UK houses about 10,000 Heartbleed threats. The US has the most - it does have a tendency to go bigger and better - and accounts for 57,000 problems.
Cluley suggested that perhaps Shodan is giving attackers a clue as to which parts of the technology community are slow to adapt and terrible at updating, which could expose users.
Seventeen months after it was discovered (and patched), 200k+ devices remain vulnerable to Heartbleed https://t.co/2SRDy7x101— Virus Bulletin (@virusbtn) September 17, 2015
"If these internet-connected devices haven't been properly secured Shodan may have just helped a malicious attacker identify a potential target," he said.
"However, as with many things in the world of computer security, there's another side of the coin. IT teams can use tools like Shodan to help them check their company's security."
Cluley added that he suspects Heartbleed will long remain a problem because - and this is the short version - some companies are just crap like that.
"Clearly, some manufacturers and IT teams have dropped the ball, and failed to update vulnerable systems," he added. "My bet is that there will always be devices attached to the internet which are vulnerable to Heartbleed."
Cluley is not alone in having a rather dour view of the situation. Tom Court, a cybercrime researcher at Alert Logic, said that, while users might be expected to be ignorant of the need to update, the same should not be said of technology companies.
"Ignorance of the security problem by end users must be expected and the end user cannot be blamed. IT security is a complicated field and should be addressed by IT professionals," he said.
"The onus is therefore on the manufacturers of IoT devices to assume a vulnerability will be found in their device and to think ahead as to how their devices will be updated."
Shodan reported that 200,000 devices were vulnerable in April this year. The UK has lost a chunk of its problems in the intervening months, while the US has gained some. µ
The IoT has gone unsecured for too long, says DCMS and NCSC
Mobile-friendly app will offer a 'desktop-class' experience
Alexa, show me half-arsed implementation
Samsung reportedly orders in 6.66in OLED panels