Heartbleed FAQs

April 21, 2014

By now, just about everyone knows that the Heartbleed security bug is based on a fault in functionality in the widely used OpenSSL cryptographic library and is affecting approximately two thirds of all web infrastructure.

What You Need to Know

The only Identiv products affected were two instances of idOnDemand and both were promptly patched. No other Identiv products were affected.

What You Need to Do
Although idOnDemand is not currently vulnerable to exposing any data, we highly recommend that all passwords are changed as soon as possible.

While Identiv ensures our products are protected, please keep in mind that any site you’ve visited in the past two years that uses OpenSSL could be vulnerable to exposing your personal data. We recommend you take these steps to further secure your digital identity:

  • Change your password on any website that hosts your personal information. Only do this once the company has released a statement that its vulnerability has been patched.
  • Ensure that you do NOT use the same password on multiple websites.
  • Beware of phishing emails — type URLs directly into your web browser instead of clicking on links within emails.
  • Always watch your bank account closely for unusual activity.

Identiv is dedicated to keeping you secure and protected. Read the following Heartbleed FAQs to learn more:

What have you done to address the Heartbleed OpenSSL vulnerability?
Identiv’s idOnDemand services use OpenSSL as part of the product infrastructure to create trusted identities. With the discovery of the vulnerability called Heartbleed, some of the idOnDemand instances were discovered to be vulnerable and promptly patched.

I am customer of the idOnDemand service, what does this mean to me?
In short, Identiv’s idOnDemand instances for all customers in Australia and a single customer in the United States were deemed vulnerable. All of the instances of idOnDemand have been patched. As a customer, if you have not been notified, then your instance is not vulnerable.

In further detail, specific instances of Identiv’s idOnDemand Identity as a Service (IaaS) use OpenSSL 1.01 as part of the library. As such, once the Heartbleed vulnerability was discovered, Identiv performed an extensive search of the code and libraries, and the deployed instances, to determine our level of vulnerability. The result of the discovery was that a few of the servers on which idOnDemand is hosted were exposed to the Heartbleed vulnerability. For each instance affected, an emergency hotfix was deployed and tested. All of the TLS certificates on the affected servers were revoked and new certificates were issued and deployed. All of the administrator passwords on the servers affected were reset after the patch was applied to ensure that no customer data was exposed.

I have been using an emergency password to access my idOnDemand account, what should I do?
As a preventative measure, all accounts that were using passwords have had each corresponding password automatically expired. Customers that may have been using a password to access the portal will need to authenticate with strong credentials or contact the idOnDemand support team for assistance.

Was any of my data exposed?
No. At this time, Identiv does not believe that any customer data was exposed. Identiv will monitor the instances and if it appears that non-authorized users have access to a customer account, the user will be blocked and the customer will be notified.

As a customer, what do I have to do to address this?
Nothing. The idOnDemand instance was patched by Identiv once the vulnerability was discovered and a patch to the base OS was available.