OpenSSL “Heartbleed” vulnerability highly likely to impact smartphone users
A number of web-sites have been quietly updating their protocols while others have been noting the flaw does not affect their services. The good news is a lot of enterprise level services, along with Apple, BlackBerry, and Microsoft are not affected by Heartbleed.
The bad news is that services like Yahoo! and other tech sites like Ars Technica were affected by it. Both companies have updated their sites though so if you have not already, now is probably a good time to change your password for the services you might use there. If you have not been following the story closely, then you should know a patch has been created and implemented, but no one is sugar-coating this development, Heartbleed is catastrophic.
Even Google was touched by it, Android used a vulnerable version of OpenSSL but the “heartbeat” extension that was used was deactivated when Android 4.1 was released. What about the rest of the mobile landscape? How deep might the impact be? Us as mobile users have a lot to be concerned about, and we need to be diligent because the fix is totally out of our hands.
What we know
Here is what we know, any one of us that has ever downloaded an app from the App Store, Google Play, Windows Store, et al, is at risk. If any of the apps you use have any type of connectivity to a secure server to store and reconcile data, chances are the Heartbleed vulnerability has been in the picture for at least the last couple of years.
What we don't know
What we do not know is what specific applications might have been compromised on the server side and if any data was stolen as a result. That data could be username and password information, bank accounts, or even VoIP calls used through a messaging app. Heartbleed was a “sky’s the limit” hole, triggered by a small script centered on a mere 64k area of memory on a given server with virtually no evidence of anything going wrong.
What is also completely unknown is how big this issue will end up being in the mobile space. There is far more mobile users than in the traditional computer space. There is also little-to-no-information being disseminated that brings the necessary “consumer” awareness to the issue. Heartbleed is not an OS issue, or even a browser issue, it is a fault in the security layer in how just about everyone conducts business on the internet.
TrendMicro conducted a scan of nearly 400,000 apps in Google Play. About 7,000 apps, including 15 banking apps, 39 online payment apps, and 10 online shopping apps were connecting to vulnerable servers. Sure, you could say that is less than 2%, but what a 2% it could be. Banks like Bank of America, USAA and Citi all had to update their security certificates.
The worst part of all this is that there is nothing you can do to fix the problem, short of not using online banking or making internet purchases. Until the services we use have said they have fixed the issue on their end, you might want to contact them to be sure, or hold off on using the service for a while.
See the reference link below to check if one of the sites you visit was affected by Heartbleed. For the services that have fixed the vulnerability, a change of password is all it should take. Until then…
sources: Forbes and TrendMicro
reference: LastPass Heartbleed Checker
UPDATE: There is clearly some confusion about what this Heartbleed issue is. On the Open Standards Interconnection model (OSI), there are seven characteristics, or layers, that function within a communication system, like the internet.
The first is the “physical layer,” this is the wires in the ground, on the tower, switchgear in the closet. Your router is part of the physical layer.
Next is the “data link layer,” this is what enables a connection between nodes. Then there is the “network layer” which is the functional means by which the connections are able to communicate.
The “transport layer” is the actual packet later, the data bits themselves, TCP, IP addresses, etc. This is the layer where the Heartbleed vulnerability resided. This is why it did not matter what browser you were using, what operating system you were on, or whether you were using a PC or smartphone.
The layers above the transport layer are session, presentation and finally, application (HTTP). That should ring immediately clear that if a server on the other end of an app you are using has not been patch, then you can consider that data as compromised. The TCP/IP model, known as the internet protocol suite has four layers, the transport layer sharing the same definitions.
1. Johnnokia (Posts: 516; Member since: 27 May 2012)
Except for BlackBerry that scores Zero vulnerability
2. Maxwell.R (Posts: 169; Member since: 20 Sep 2012)
If you re-read the article, you will understand this is a transport layer vulnerability, not an OS issue. If you use a service that has not updated its certificates, you could be using a BlackBerry, a blackphone, or cans-on-a-string, the problem is still there.
3. Johnnokia (Posts: 516; Member since: 27 May 2012)
This is what BlackBerry addressed:
''BlackBerry is currently investigating the customer impact of the recently announced OpenSSL vulnerability. BlackBerry customers can rest assured that while BlackBerry continues to investigate, we have determined that BlackBerry smartphones, BlackBerry Enterprise Server 5 and BlackBerry Enterprise Service 10 are not affected and are fully protected from the OpenSSL issue''
BlackBerry Enterprise Service 10
BlackBerry Enterprise Server 5
BlackBerry Universal Device Server
BlackBerry® 10 OS
BlackBerry® 7.1 OS and earlier
BBM for BlackBerry smartphones
So, BlackBerry smartphones are NOT affected by this issue.
6. Maxwell.R (Posts: 169; Member since: 20 Sep 2012)
Completely not related to where the Heartbleed vulnerability resided. If an app you are using on a BB is establishing secure sessions with a server that has not been patched, the data is at risk. It is not an OS or BES issue.
4. GadgetsMcGoo (Posts: 163; Member since: 15 Mar 2013)
It's those software that is using the "OpenSSL" implemention of the SSL standard that has been affected. If you are using another implementation, then you are not likely to be affected.
11. lllIIIlllIIl (banned) (Posts: 48; Member since: 11 Apr 2014)
Wrong. Apple and its iOS platform are not vulnerable. The only things that are vulnerable are emails and passwords. This article is poorly written compared to the others I have seen.
5. taz89 (Posts: 2014; Member since: 03 May 2011)
Didn't Google say that "only" Android 4.1.1 is effected and the rest are not? Let's hope no one knew about this effed up security hole and everyone updates it's tls and certification ASAP.
7. sprockkets (Posts: 1160; Member since: 16 Jan 2012)
FYI I checked the changelogs of CM for my Nexus 7 2013. On apr 6, they patched the SSL library.
However, as far I can tell, the vulnerability is server side where it can read the keys in memory. Not sure if doing it on the device will mean anything, but there it is.
12. Droid_X_Doug (Posts: 5750; Member since: 22 Dec 2010)
If the vulnerability is server-side, how does the client (end user device) become vulnerable in and of itself? As I understand it, the hole occurs each time a session is created with a compromised server, which is why companies like Yahoo, USAA, etc. are scrambling to patch their servers to close the vulnerability.
8. N-fanboy (Posts: 538; Member since: 12 Jan 2013)
Thank God there is no mobile/online banking in place here in Ethiopia.
10. Neutral (Posts: 30; Member since: 19 Oct 2013)
There actually are homeboy.
Zemen Bank, Commercial Bank, etc. They advertise it too.
9. jroc74 (Posts: 4732; Member since: 30 Dec 2010)
And I do ALOT of online transactions...damn....
14. Mohammad_Abu-Shukur (Posts: 20; Member since: 08 Nov 2013)
who said that apps were secure before heartbleed!!
everybody should know that everything in this tech world is observed by away or anther
thats what i see...
wt do u think?