OpenSSL “Heartbleed” vulnerability highly likely to impact smartphone users

OpenSSL “Heartbleed” vulnerability highly likely to impact smartphone users
If you spend any amount of time on the internet, you have very likely heard about a flaw in the OpenSSL project where a vulnerability has been discovered that pretty much renders the whole secure layer impotent. It is being referred to as “Heartbleed.”

A number of web-sites have been quietly updating their protocols while others have been noting the flaw does not affect their services. The good news is a lot of enterprise level services, along with Apple, BlackBerry, and Microsoft are not affected by Heartbleed.

The bad news is that services like Yahoo! and other tech sites like Ars Technica were affected by it. Both companies have updated their sites though so if you have not already, now is probably a good time to change your password for the services you might use there. If you have not been following the story closely, then you should know a patch has been created and implemented, but no one is sugar-coating this development, Heartbleed is catastrophic.

Even Google was touched by it, Android used a vulnerable version of OpenSSL but the “heartbeat” extension that was used was deactivated when Android 4.1 was released. What about the rest of the mobile landscape? How deep might the impact be? Us as mobile users have a lot to be concerned about, and we need to be diligent because the fix is totally out of our hands.

What we know


Here is what we know, any one of us that has ever downloaded an app from the App Store, Google Play, Windows Store, et al, is at risk. If any of the apps you use have any type of connectivity to a secure server to store and reconcile data, chances are the Heartbleed vulnerability has been in the picture for at least the last couple of years.

What we don't know


What we do not know is what specific applications might have been compromised on the server side and if any data was stolen as a result. That data could be username and password information, bank accounts, or even VoIP calls used through a messaging app. Heartbleed was a “sky’s the limit” hole, triggered by a small script centered on a mere 64k area of memory on a given server with virtually no evidence of anything going wrong.

What is also completely unknown is how big this issue will end up being in the mobile space. There is far more mobile users than in the traditional computer space. There is also little-to-no-information being disseminated that brings the necessary “consumer” awareness to the issue. Heartbleed is not an OS issue, or even a browser issue, it is a fault in the security layer in how just about everyone conducts business on the internet.

The impact


TrendMicro conducted a scan of nearly 400,000 apps in Google Play. About 7,000 apps, including 15 banking apps, 39 online payment apps, and 10 online shopping apps were connecting to vulnerable servers. Sure, you could say that is less than 2%, but what a 2% it could be. Banks like Bank of America, USAA and Citi all had to update their security certificates.

The worst part of all this is that there is nothing you can do to fix the problem, short of not using online banking or making internet purchases. Until the services we use have said they have fixed the issue on their end, you might want to contact them to be sure, or hold off on using the service for a while.

See the reference link below to check if one of the sites you visit was affected by Heartbleed.   For the services that have fixed the vulnerability, a change of password is all it should take. Until then…

sources: Forbes and TrendMicro

reference: LastPass Heartbleed Checker

UPDATE: There is clearly some confusion about what this Heartbleed issue is. On the Open Standards Interconnection model (OSI), there are seven characteristics, or layers, that function within a communication system, like the internet.

The first is the “physical layer,” this is the wires in the ground, on the tower, switchgear in the closet. Your router is part of the physical layer.

Next is the “data link layer,” this is what enables a connection between nodes. Then there is the “network layer” which is the functional means by which the connections are able to communicate.

The “transport layer” is the actual packet later, the data bits themselves, TCP, IP addresses, etc. This is the layer where the Heartbleed vulnerability resided. This is why it did not matter what browser you were using, what operating system you were on, or whether you were using a PC or smartphone.

The layers above the transport layer are session, presentation and finally, application (HTTP). That should ring immediately clear that if a server on the other end of an app you are using has not been patch, then you can consider that data as compromised. The TCP/IP model, known as the internet protocol suite has four layers, the transport layer sharing the same definitions.

FEATURED VIDEO

14 Comments

1. Johnnokia

Posts: 1158; Member since: May 27, 2012

Except for BlackBerry that scores Zero vulnerability

2. Maxwell.R

Posts: 218; Member since: Sep 20, 2012

If you re-read the article, you will understand this is a transport layer vulnerability, not an OS issue. If you use a service that has not updated its certificates, you could be using a BlackBerry, a blackphone, or cans-on-a-string, the problem is still there.

3. Johnnokia

Posts: 1158; Member since: May 27, 2012

This is what BlackBerry addressed: ''BlackBerry is currently investigating the customer impact of the recently announced OpenSSL vulnerability. BlackBerry customers can rest assured that while BlackBerry continues to investigate, we have determined that BlackBerry smartphones, BlackBerry Enterprise Server 5 and BlackBerry Enterprise Service 10 are not affected and are fully protected from the OpenSSL issue'' Non-Affected Software BlackBerry Enterprise Service 10 BlackBerry Enterprise Server 5 BlackBerry Universal Device Server BlackBerry® 10 OS BlackBerry® 7.1 OS and earlier BBM for BlackBerry smartphones So, BlackBerry smartphones are NOT affected by this issue.

6. Maxwell.R

Posts: 218; Member since: Sep 20, 2012

Completely not related to where the Heartbleed vulnerability resided. If an app you are using on a BB is establishing secure sessions with a server that has not been patched, the data is at risk. It is not an OS or BES issue.

4. GadgetsMcGoo

Posts: 168; Member since: Mar 15, 2013

It's those software that is using the "OpenSSL" implemention of the SSL standard that has been affected. If you are using another implementation, then you are not likely to be affected.

11. lllIIIlllIIl

Posts: 48; Member since: Apr 11, 2014

Wrong. Apple and its iOS platform are not vulnerable. The only things that are vulnerable are emails and passwords. This article is poorly written compared to the others I have seen.

5. taz89

Posts: 2014; Member since: May 03, 2011

Didn't Google say that "only" Android 4.1.1 is effected and the rest are not? Let's hope no one knew about this effed up security hole and everyone updates it's tls and certification ASAP.

7. sprockkets

Posts: 1612; Member since: Jan 16, 2012

FYI I checked the changelogs of CM for my Nexus 7 2013. On apr 6, they patched the SSL library. However, as far I can tell, the vulnerability is server side where it can read the keys in memory. Not sure if doing it on the device will mean anything, but there it is.

12. Droid_X_Doug

Posts: 5993; Member since: Dec 22, 2010

If the vulnerability is server-side, how does the client (end user device) become vulnerable in and of itself? As I understand it, the hole occurs each time a session is created with a compromised server, which is why companies like Yahoo, USAA, etc. are scrambling to patch their servers to close the vulnerability.

8. N-fanboy

Posts: 543; Member since: Jan 12, 2013

Thank God there is no mobile/online banking in place here in Ethiopia.

10. Neutral

Posts: 30; Member since: Oct 19, 2013

There actually are homeboy. Zemen Bank, Commercial Bank, etc. They advertise it too.

9. jroc74

Posts: 6023; Member since: Dec 30, 2010

And I do ALOT of online transactions...damn....

13. Arte-8800

Posts: 4562; Member since: Mar 13, 2014

use avast or premium paid version

14. Mohammad_Abu-Shukur

Posts: 25; Member since: Nov 08, 2013

who said that apps were secure before heartbleed!! everybody should know that everything in this tech world is observed by away or anther thats what i see... wt do u think?

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.