That’s a really great observation and a very good question.
My take is that it really depends on a number of factors, and I’ll try to review what I think are the relevant ones. I don’t think it’s something that poses an imminent threat.
Become a Patron of Ask Leo! and go ad-free!
It’s not about accessing websites
SSL on your router is not involved when you access sites on the web, whether they be SSL or not.
In fact, SSL on the router is really used for only one thing in most cases. When you access the router’s configuration pages, that access is typically via an https connection to the router. For example, I might manage my router by connecting to https://192.168.1.1.
That’s “https” which means SSL; which means that SSL code of some sort is involved. If your router includes the required acknowledgements1 for OpenSSL, then it’s likely that it’s using OpenSSL for its SSL support.
Only specific versions of OpenSSL are affected
But as is turns out, that’s not quite enough knowledge. Not all versions of OpenSSL were in fact affected by Heartbleed. From the Heartbleed.com page, we can see that open SSL 1.0.1 through 1.0.1f, inclusive, are vulnerable. All the other versions, both earlier and later, appear not to be.
So, one way to determine whether or not this even applies to you is to see if you can determine the specific version of OpenSSL that’s on your router. That might be included in the About, Credits or Acknowledgements, or some other information provided with your router.
Of course, if you can’t tell, then the safest thing to do is to assume the worst.
Secure from external access
Step one, of course, is to make sure that your router’s configuration cannot be accessed from the internet. This is typically an option in the router configuration, and it should be turned off in general as a recommended security precaution anyway.
Now, unfortunately, how your router behaves when this function is turned off actually makes a difference.
Look up the instructions for accessing your router’s configuration from its internet side. It typically involves an https connection to your internet IP address, followed by a colon and a specific port number. Try it. If it can’t connect at all, that’s good.
On the other hand, if it connects – even if only to display an error page of some sort, that could be bad. And I’m not talking about a certificate error; I’m talking about something like a “You can’t access this” kind of error. That implies that even with the feature turned off, an SSL connection can in fact be established from the internet side. You can’t log in to do anything, but you can establish an internet connection using SSL to find that out.
That, unfortunately, exposes your router’s SSL abilities, including – perhaps – the Heartbleed bug to the internet.
If your router keeps SSL exposed on the internet, then it’s possible that it could be probed by bots and the vulnerability discovered. I’m not aware of any such bots, but in the worst-case scenario, that might allow hackers to take over your router and configure it to their purposes. I still have a difficult time conceiving exactly how that would happen, but we have to assume that it could. We just don’t know what other random data might be getting exposed as part of the Heartbleed bug.
Securing for internal access
Of course, you need the https connection on the inside to keep working. That’s the Local Area Network that your computers are connected to. That needs to continue to work so that you can continue to maintain and configure your router.
So, if the router is vulnerable to the Heartbleed bug, will it remain vulnerable to breaches that originate from within your own local network or from your machines?
It would look something like this: somehow you get malware on one of your machines. This malware is somehow tailored to look for the Heartbleed vulnerability in routers. If it determines that yours is vulnerable, then it can do whatever it wants to the router. Perhaps it configures it so that a remote hacker can reconfigure it.
Now, all of this is predicated on you getting malware on your machine. So, don’t do that! Malware is bad for any number of reasons, and this is just one more. In fact, it isn’t even the most important reason.
Stay calm and secure on
My advice is just to make sure your router is secure and in particular, turn off the remote internet configuration access. Then keep your machines free of malware. In other words, do what you probably have been doing. Don’t sweat this for now.
On the other hand, if for whatever reason this concerns you anyway, then check with the router manufacturer for any specifics on the Heartbleed vulnerability for your specific model and then consider upgrading the router’s firmware if they offer one with a fix. If they don’t offer a fix, and it’s vulnerable, then you basically have two choices.
Again, go back to “don’t sweat it for now”, or replace the router.
I’m not rushing out to replace any routers.
I’m not sure that I understand completely. “Step one, of course, is to make sure that your router’s configuration cannot be accessed from the internet. This is typically an option in the router configuration, and it should be turned off in general as a recommended security precaution anyway.”
If it’s turned off then how am I going to change any router configurations in the future if I need to make any changes?
You change it from inside, on your intranet, not from outside on the internet.
Leo: I just reread your two reports:
a) How do I change my router’s password?
b) How do I secure my router?
Question #1 You state: “Step one, of course, is to make sure that your router’s configuration cannot be accessed from the internet. ” Is this accomplished by “disabling remote access?” If not then how do you accomplish your above statement?
Question #2 From one of those two reports: “You access your router’s settings by entering its IP address in the address bar of your browser” That sure sounds like your accessing your router’s configuration from the internet. If you disable that method then how do you access the configuration page from the “inside”?
1. Yes, disable remote access means not allowing internet access to your router.
2. That router IP number can’t be accessed via the internet. It is an internal network IP address which is assigned to the router by itself. It is usually in the range of 192.168.x.x.
You access your router from the local lan that has your computers on it, not the internet.
This was a tricky issue for the uninitiated, which includes me to an extent. Apparently, some folks are not immediately noticing the distinction between locally accessing their router from inside their network (using the appropriate variant of the 192.168.x.x IP address), and remote access from “the other side,” meaning from somewhere on the Internet.
Here’s a short funny story. As I was reading articles about checking a router’s SSL version, one method recommended using a Telnet connection. That’s not the part that surprised me, though. Imagine my surprise as I discovered my router — maybe MOST consumer class routers — runs Linux. I had no clue they ran that way. No wonder they’re so stable. Imagine if they ran a version of Windows, which would probably require a reboot at least once or twice each week.