It's important to remember one particular detail about the Heartbleed bug: This bit of digital nastiness is not limited to websites. Heartbleed can also affect the equipment we connect to our networks, such as Network Attached Storage (NAS) devices, routers, and access points.
As we've previously explained, Heartbleed is the name of a bug in OpenSSL which leaks information in the computer's memory. But many networking devices are just as vulnerable to Heartbleed as websites since they use OpenSSL for software encryption.
OpenSSL allows websites and Internet applications such as email and VPN to make secure Internet connections via TLS and SSL protocols. It is used widely in servers. In fact, one of my colleagues, Fahmida Y. Rashid, discovered the bug was easy to exploit on a server running a vulnerable version of OpenSSL.
Of course, many NASes and routers use OpenSSL — often to secure remote connections back to the device from external networks. However, not all network device manufacturers use this open source code — opting instead to use other versions of SSL protocols.
So, how do you know what your equipment has installed and if it's safe? To help you, we've compiled this list of major brand networking devices to find out which ones are vulnerable to Heartbleed, and what you should do, right now! The list is broken down into NAS devices, routers, and also a small section on SMB networking, which includes manufacturers that primarily make other networking devices besides routers and NASes, for small business and prosumer users.
Take a look to ensure your network devices are plugged up against Heartbleed, and for help on what you can do if they aren't.
Network Attached Storage (NAS)
Apple: Apple has released an update for 802.11ac enabled AirPort Extreme and AirPort Time Capsule base stations that provides a fix for the recent OpenSSL vulnerability. This is the statement on the vulnerability which Apple sent us:
The firmware update provides a fix for the recent OpenSSL vulnerability for the latest generation of 802.11ac enabled AirPort Extreme and AirPort Time Capsule base stations (June 2013). This vulnerability only impacts recent Airport devices that have the Back to My Mac feature enabled. Customers with previous generation AirPort Extreme and AirPort Time Capsules do not need to update their base stations.
Buffalo Technology: Buffalo's line of LinkStation NASes should be updated to the latest firmware. This is fairly easy to do, as per a statement from Buffalo:The LinkStation more aggressively will tell you when you log in or via NasNavigator software on a PC or Mac that an update is available. Users need to login to their device and simply press the 'Update Now' button. At that point, the LinkStation will download the update and apply itself automatically.
D-Link: D-Link storage devices, which includes its NASes and Network Video Recording (NVR) devices, are listed on the company's website as "under investigation" for Heartbleed. D-Link advises disabling Remote Management on its NASes, and ensuring you have strong passwords assigned to the administrator account of NASes and the wireless networks to which they are connected.
Iomega: Iomega has been acquired by LenovoEMC. The LenovoEMC Community page reveals that Heartbleed affects its px4-400r and the Iomega StorCenter px4-300d Network Storage NAS devices. No other LenovoEMC or Lenovo network storage products are affected. Currently, the company is working on a fix for the two vulnerable NASes. If you own either of these NASes, check for updates here.
LenovoEMC advises customers to practice safe networking by protecting their network with a firewall, enabling security on the NAS, and also frequently changing the admin password. Also, you should use strong passwords, always log out of the device's management interface, and restrict access to the management interface to trusted users only.
QNAP: Qnap NASes use a management interface called QTS. The operating systems vulnerable to Heartbleed are QTS versions 4.0 and 4.1. QTS versions 3.8 and earlier use a different version of OpenSSL and are not affected by the OpenSSL Heartbleed bug. Update vulnerable QTS version to QTS 4.0.7 and QTS 4.1.0 RC2 here.
Synology: Synology NASes use the DiskStation Manager (DSM) as management software. The company has released DSM 5.0, to which customers should upgrade. The company also advises:
DSM 4.3 users are advised to update their systems to DSM 5.0. If users want to stay in DSM 4.3, patch will be ready by the end of April. DSM 4.1 users are advised to upgrade their systems to DSM 4.2, while patch for DSM 4.2 will be delivered in one week. DSM 4.0 and previous versions are not affected. MyDS Centre servers have been patched and are safe to use. However, MyDS Centre users are strongly suggested to change MyDS password to ensure the safety of their personal information.
Western Digital: Western Digital has confirmed that its NASes affected by Heartbleed are My Cloud, My Cloud Mirror, My Cloud EX2, and My Cloud EX4. So, all of Western Digital's My Cloud products. The company has updated firmware for all of the above save for the Mirror, which is still waiting for a patch. In the case of the latter, WD advises users to disable remote access as a temporary workaround.
WD has confirmed that its servers which enable remote access to these My Cloud products are not vulnerable. The company is also finishing up an automated security certificate process for My Cloud drives that may have been compromised and urges customers to contact its support for more information.
Netgear: Netgear has taken steps to prevent compromise by the Heartbleed bug with its NAS products by releasing new firmware. Customers are advised to update ReadyNAS products to the latest firmware 6.1.7, which is posted and available for download from the Netgear support site. Older versions of ReadyNAS products use an older version of OpenSSL and are not affected. The company recommends upgrading firmware for its RN102/RN103 Series; the RN312/314 Series; RN516 Series; RN716 Series; RN322; and RN4220.
Apple: Apple has confirmed that an update was released for 802.11ac enabled AirPort Extreme and AirPort Time Capsule base stations that provides a fix for the recent OpenSSL vulnerability. More information on the update is available on Apple's site.
Belkin: Belkin confirmed its routers are not impacted by Heartbleed.
Buffalo: Buffalo encourages users to update to the latest firmware with any of its AirStation routers to thwart any Heartbleed security compromises. Buffalo sent this statement to us: The AirStation has a UI section for users to check for updates, and if they're available, they will allow the user to select it and apply it. There is also an automated check which does this once a day. In that case, it is just a UI notification.
Cisco: If you own a Cisco Linksys-branded router, as with all Linksys routers, your device is not affected by Heartbleed.
D-Link: D-Link routers, including its line of "DIR-*" routers, are not affected if they are at the latest firmware, according to charts on the company's site. Additionally, the current firmware for D-Link's broadband modem combination routers, business VPN routers, and access points are not affected. Nor are consumer and business extenders, bridges, and repeaters — provided they are at the latest firmware level. D-Link still advises customers to disable the Remote Management feature on its networking products, secure wireless passwords, and frequently update administrator passwords.
Linksys: No Linksys routers are affected, the company said in a statement on its website.
Netgear: Netgear routers and switches do not use the OpenSSL version that is vulnerable to the Heartbleed bug.
TP-Link: TP-Link advises all customers to update their hardware's firmware immediately by downloading the latest upgrade. The company further advises users to change the default admin name and password, not to save the username and password to your device in your web browser, and to change any default wireless passwords that may have been configured when you first bought your device. Also, you should not enable remote management if you don't really need it, and you should install antivirus software on your systems.
Trendnet: From Trendnet's website: "No current Trendnet products are vulnerable to the Heartbleed Vulnerability and no action is required by Trendnet customers."
Western Digital: WD has confirmed that none of its routers are affected by Heartbleed.
Zyxel: Zyxel confimed its products are not affected.
SMB networking equipment
Array Networks: The company announced that its products are not exposed to the OpenSSL Heartbleed vulnerability. Array is unaffected because the company uses a proprietary SSL stack to process SSL, TLS, and DTLS service traffic.
Cisco: Cisco has a number of SMB products affected by the Heartbleed vulnerability, including the Cisco MS200X Ethernet Access Switch and a host of its TelePresence products. You can check the full list and remediation procedures on Cisco's site.
SMBs using the Cisco RV110W Wireless-N VPN Firewall don't have to worry, as the company states that device is not affected by the vulnerability.
We sent requests to other networking companies about Heartbleed affecting any of their products, but have yet to hear back. We will update this piece if and when we do. Even if you do not see the manufacturer of your equipment listed here, you can check out this free Heartbleed scanner from CrowdStrike. The company claims the scanner can check Intranet SSL websites, OpenSSL VPNs, secure FTP servers, databases, secure SMTP/POP/IMAP email servers, routers, printers, and IP phones for the vulnerability.
For more advice on Heartbleed in general, check out our in-depth guide to what action you should take.