Skip to main content
Accessibility Resource Center Skip to main content
Get up to $500 when you bring the phone you love. OR get iPhone 13, on us. Online only. With Select 5G Unlimited plans. Ends 1.31. Buy now
end of navigation menu
Is Verizon's global infrastructure vulnerable to Heartbleed?
glnzglnz
Contributor

  

Is Verizon's FIOS and DSL and global infrastructure vulnerable to Heartbleed?  I mean all the Juniper, Cisco and other devices and switches, and all the routers, and everything that connects every Vz FIOS and DSL customer to everything else - and all the billing and other circuits that connect - EVERYTHING used by Verizon.  Has anyone received a specific answer from Verizon on this?

Verizon - what's going on?  Please don't answer with "We take your security seriously ...."  Is ANYTHING in your infrastructure vulnerable to Heartbleed - YES or NO?

If yes, when will you fix ABSOLUTELY EVERYTHING?  "Working on it" is not the answer.  What's the date?

Then, what should those of us with Vz FIOS or DSL do?

0 Likes
Re: Is Verizon's FIOS and global infrastructure vulnerable to Heartbleed?
smith6612
Super User
Super User

I wouldn't be too worried about the core equipment as far as the Heartbleed vulnerability is concerned, as this issue pertains to equipment that is responsible for making secure connections across networks. ASAs, Firewalls that can act as VPN endpoints, Wireless Access points with tunnelling support, and so on. None the less, providers like Verizon will all have to upgrade affected gear considering the nature of the bug unless they want to put all of their customers at risk.

Externally, Verizon's websites should all be patched as they're hosted through Akamai. auth.verizon.com is not showing as being vulnerable. Internally, that should be all patched but will likely not result in any sort of answer. As for the BHRs on Port 4567? STARTTLS is being a pain to test at the moment with the current tools. Guess your best bet is to look at the source code for them on ActionTec's website to see what's included.

I'd be more worried about the network getting poisoned through BGP attacks 🙂

0 Likes
Re: Is Verizon's FIOS and global infrastructure vulnerable to Heartbleed?
glnzglnz
Contributor

Smith - You are truly the great guru of this and other forums.  My genuflection, as always.

But it would be ... polite ... for Vz to address this issue, don't you think?

If anyone has the ear of the oblivious Vz giant, it's you.  Please ask them to deign to consider the Heartbleed issue and give us a report.

Thanks!

0 Likes
Re: Is Verizon's FIOS and global infrastructure vulnerable to Heartbleed?
smith6612
Super User
Super User

I'll see if I can ask them.

I'm trying to check out the BHRs right now for FiOS and it seems the CWMP port is not playing right with the tools. Hard to say if that means the protocol is not one that is expected or if it's the BHR not being vulnerable.

0 Likes
Re: Is Verizon's FIOS and global infrastructure vulnerable to Heartbleed?
glnzglnz
Contributor

Smith - your technical knolwedge is amazing.  Would you also check the similar what-cha-ma-call-its for DSL?

0 Likes
Re: Is Verizon's FIOS and global infrastructure vulnerable to Heartbleed?
smith6612
Super User
Super User

@glnz wrote:

Smith - your technical knolwedge is amazing.  Would you also check the similar what-cha-ma-call-its for DSL?


I have an ActionTec GT784WNV sitting around here with Firmware v1.1.6 installed I could check. I'll likely find another DSL circuit to connect that gateway to as I have stability issues with it.

0 Likes
Re: Is Verizon's global infrastructure vulnerable to Heartbleed?
Steve01
Newbie

So heres the fun one with all this, did everyone know that their Verizon wireless router WI-FI password can be seen from within your account... so if someone gets your login in creds from the heartbleed bug they got your wifi password too... that is if they didn't get your wifi password when your router updated verizon servers if you changed that. 🙂

0 Likes
Re: Is Verizon's global infrastructure vulnerable to Heartbleed?
smith6612
Super User
Super User

Some credible sources I have within Verizon have stated that the routers are not affected by Heartbleed for both FiOS and DSL. Additionally, the websites are secure. You guys shouldn't have anything to worry about from Verizon at this point.

0 Likes
Re: Is Verizon's global infrastructure vulnerable to Heartbleed?
jumpin68ny
Master

@Steve01 wrote:

So heres the fun one with all this, did everyone know that their Verizon wireless router WI-FI password can be seen from within your account... so if someone gets your login in creds from the heartbleed bug they got your wifi password too... that is if they didn't get your wifi password when your router updated verizon servers if you changed that. 🙂


The wifi password can be seen on the STB's and if you have the My Fios Mobile App it can be seen on that too.

On the STB you can secure the wifi credentials with parental controls password but on the my fios mobile app either sign out of the app or put a password on your phone, I wish I could get rid of that from the app.

0 Likes
Re: Is Verizon's global infrastructure vulnerable to Heartbleed?
Steve01
Newbie
Yeah, that's part of the reason why I have now firewalled off the verizon router and I have a new router that verizon can't get their hands into to provide my wifi. So now the verizon router just passes internet to the STB's for the guide and whatever else they need.
0 Likes