I talked last week about how the Heartbleed bug was unique in how long it went undiscovered, how many things it affected, and how hard it was to tell if anyone had used it to access data. Today I’d like to talk about what Cradlepoint did to reestablish protections for our customers.
As I said in Part 1: Three Observations, our router devices—like almost every other companies’ devices that are connected to the Internet—were vulnerable to the Heartbleed exploit because we use the OpenSSL encryption. (If you’re going to configure or administer a device remotely over the public internet, you would normally use an SSL connection through your web browser. We use SSL to encrypt management communications between end users and their router devices.)
In order to fix the vulnerability, we had to do a firmware update. We created a new version of our firmware (available here) using the new 1.01G SSL version that closed the open door left by Heartbleed. This page lists the affected Cradlepoint products that will require this new firmware. We encourage all Cradlepoint customers with these products to update their firmware as soon as possible.
The other area we had to address was NetCloud Manager, our cloud-based management platform that customers use to remotely manage their devices in real-time. The OpenSSL on our stream servers had to be updated while the web servers that host NetCloud Manager weren’t affected. This meant username and passwords were not at risk.
Given that we were in the same boat as just about every other company, the best thing we could do was to move as quickly as possible to remove the vulnerability. As I said in Part 1, it took two years for the world to discover Heartbleed. It took Cradlepoint a matter of days to patch it. In fact, after being informed of the bug on April 7, we had our NetCloud Manager servers patched by April 9, and released our firmware updates for our entire line of products by April 14.
To say that we had to reallocate a lot of our internal resources would be an understatement. We had to pull people off things like new product enhancements and version upgrades, and rededicate them to addressing this vulnerability. We wanted to do all we could so that our customers would feel safe and confident in the security of our devices and our management platform.
In the meantime, we had a lot of customers ask, “Does Heartbleed affect us?” In order to answer the question that was on everyone’s lips, we worked with our customers to focus on the settings they were using on their Cradlepoint devices.
In my next post I’ll talk about these settings and how NetCloud Manager enabled customers to quickly eliminate the Heartbleed bug from their Cradlepoint solutions.