The Heartbleed security vulnerability that was first disclosed in early April has dominated technology security headlines in recent weeks, but that doesn’t mean that all Internet users have actually taken steps to protect themselves. A new study published on April 30 by the Pew Research Center reveals that less than half of the Internet users who were aware of the Heartbleed took steps to protect themselves.
The Heartbleed security flaw was first revealed on April 7 by the open-source OpenSSL project. OpenSSL is an open-source cryptographic library that provides Secure Sockets Layer (SSL) encryption for data in transport. The Heartbleed flaw is technically identified as CVE-2014-0160 and called “TLS heartbeat read overrun” and could enable an attacker to get access to information that is supposed to be encrypted with SSL.
OpenSSL is widely used on servers and embedded devices including mobile phones, giving the Heartbleed vulnerability significant global impact. According to the Pew study of 1,501 American adults surveyed between April 23-27, 64 percent of surveyed Internet users had heard about the Heartbleed flaw.
Of those respondents who were aware of the Heartbleed flaw, only 39 percent actually took steps to protect themselves. Those steps include changing passwords and avoiding potentially vulnerable online services.
Looking deeper into the demographics of those who changed their passwords in response to Heartbleed, Pew found that there was a disparity across income levels. For American households with incomes of less than $30,000, only 33 percent had changed passwords. In contrast, 46 percent of American households earning $75,000 or more changed passwords in response to Heartbleed.
From a risk perspective, only 29 percent of those who were aware of Heartbleed actually believed that their information was somehow at risk from Heartbleed. Only 6 percent noted that they believed that personal information was actually stolen as a result of Heartbleed.
Public reports of actual exploitation from Heartbleed have in fact been somewhat limited. The Canada Revenue Agency (CRA), which is the Canadian equivalent of the U.S. Internal Revenue Service (IRS), reported that it was exploited by Heartbleed, with approximately 900 Canadian taxpayers being impacted.
Security firm FireEye has reported that one of its customers was attacked by Heartbleed by way of virtual private network (VPN) technology. FireEye has also alleged that as many as 150 million Google Android app downloads are at risk from Heartbleed.
Although Heartbleed has been a concern for Internet security, Pew also found that overall, 69 percent of Internet users see their online information as being generally secure.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.