A vulnerability in OpenSSL encryption library that made headlines in 2014 and should have been patched out of existence remains a threat, with approximately 200,000 machines still open to attack.

The bug designated as CVE-2014-0160, popularly known as Heartbleed, allows the attacker to obtain the encryption keys used by a website, decrypt any past and future traffic to the protected services, and to impersonate those services at will.

The number of vulnerable computers was tracked by Shodan, a search engine for Internet-connected devices. According to Shodan, most of the vulnerable machines are located in the US, followed by Korea, China, Germany and France.

Still bleeding

Heartbleed affects OpenSSL, an open source library used by countless websites and applications to secure user data. The vulnerability was was discovered by researchers from Finnish security firm Codenomicon and Neel Mehta from Google Security in April 2014, causing panic among cyber security professionals since attacks that use Heartbleed are virtually impossible to detect.

The original bug was introduced into OpenSSL code as a programming error with version 1.01, which was released publicly in March 2012. OpenSSL version 1.01g, released immediately after the discovery of Heartbleed, removed the error.

Turns out that despite the worldwide patching effort, thousands of servers remain vulnerable to attack.

The offending machines were tracked down by Shodan, a search engine that crawls the Internet looking for open network ports and collecting all of the information available from connected devices.

According to Shodan, the number of unpatched servers doesn’t seem to have gone down in the past two years: it found almost the same number of vulnerable computers in January 2017 as there were in September 2015.

Shodan shows 199,594 networked devices still running an outdated version of OpenSSL, with the US responsible for nearly a quarter of the total, or 42,032. For comparison Korea, a country with the second highest number of unpatched OpenSSL deployments, has just 15,380 vulnerable machines, and despite its size and reliance on Linux, China sits in third place, with 14,116.

The organizations responsible for the majority of vulnerable servers are SK Broadband, Amazon.com and Verizon Wireless, followed by Korea Telecom and Strato, a subsidiary of Deutche Telecom.