Study Finds No Evidence of Heartbleed Attacks Before the Bug Was Exposed


SAN FRANCISCO — Ever since the Heartbleed bug was exposed last week, the question everyone has been asking is: Did anyone exploit it before a Google researcher first discovered it?

The worry is that in the two years since the bug was accidentally incorporated into OpenSSL — a crucial piece of free security software used by governments and companies like the F.B.I. and Google — attackers could have exploited Heartbleed to take sensitive information like passwords and the virtual keys used to decipher any scrambled information stored on a web server.

What’s more, they could have done so without leaving evidence detectable by the normal methods used to track who has gained access to a server.

But security researchers at the Energy Department’s Lawrence Berkeley National Laboratory, which conducts unclassified scientific research, say that it is still possible to look for past Heartbleed exploitations by measuring the size of any messages sent to the vulnerable part of the OpenSSL code, called the Heartbeat, and the size of the information request that hits a server.

In an attack, the size of the response would be larger than the size of the request. And because the Heartbleed flaw can expose only a small amount of information at one time — 64 kilobytes — an attacker would probably have to use it repeatedly to collect valuable data, producing even longer responses.

For the last week, researchers at the Berkeley National Laboratory and the National Energy Research Scientific Computing Center, a separate supercomputer facility, have been examining Internet traffic they recorded going in and out of their networks since the end of January, looking for responses that would indicate a possible Heartbleed attack.

They found none, said Vern Paxson, a network researcher at Berkeley Lab and associate professor of electrical engineering and computer science at the University of California, Berkeley.

The research does not rule out the possibility that Heartbleed was exploited before January. Because the Heartbleed bug was first introduced in March 2012, would-be attackers would still have had 18 months to exploit the flaw. It also does not rule out the possibility that the bug was used in an attack beyond what Berkeley Lab and the National Energy scientific computing center monitor.

The network traffic for both Berkeley Lab and the scientific computing center touch thousands of Internet systems and both facilities had maintained comprehensive logs going back a few months. Mr. Paxson said that if there were widespread scanning for the Heartbleed vulnerability, that would have been picked up by those important Internet hubs.

Finding out if people have been taking advantage of the security flaw took on more urgency last Friday after Bloomberg News, citing two unnamed sources, reported that the National Security Agency knew about and had been exploiting the Heartbleed bug for the last two years. The N.S.A., the White House and the Office of the Director of National Intelligence have all said the Bloomberg report is inaccurate and have denied knowing about the Heartbleed bug before its disclosure this month.

“Reports that N.S.A. or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong,” a spokeswoman for the National Security Council, Caitlin Hayden, said in a statement.

But security researchers and law enforcement are growing concerned that hackers are trying to exploit the flaw now that it has been public for more than a week. On Tuesday, a 19-year-old man was arrested in Canada on charges that he had used the Heartbleed flaw to steal taxpayer data from the Canada Revenue Agency. The agency reported on Monday that some 900 Canadian Social Security numbers had been compromised.

Meanwhile, four computer scientists at the University of Michigan, Zakir Durumeric, David Adrian, Michael Bailey and J. Alex Halderman, have been monitoring stashes of fake data on the Internet — called honeypots — to see if hackers would try to retrieve them using the Heartbleed bug. It worked.

To date, they’ve witnessed 41 unique groups scanning for and trying to exploit the Heartbleed bug on three honeypots they are maintaining. Of the 41, the majority of those groups — 59 percent — were in China.

But the attacks began only after the Heartbleed bug was discovered on April 8. The computer scientists have also found no evidence of any attacks before the disclosure, and they say it’s impossible to tell if the scans came from real hackers or other security researchers trying to look at the problem.

And last week, CloudFlare, the Internet management company based in San Francisco, challenged programmers all over the world to steal the encryption keys off a vulnerable server using the Heartbleed bug. If an attacker was able to grab those keys, he or she could potentially decipher the encrypted contents stored on a server and unscramble future communications.

It took 11 hours, but two researchers — one in Russia, the other in Finland — were able to do it.

At last count, Monday afternoon, the computer scientists at the University of Michigan found that 1.4 million web servers remain vulnerable to a Heartbleed attack. They are posting lists of vulnerable web and mail servers on their website.