OpenSSL “Heartbleed” vulnerability highly likely to impact smartphone users
A number of web-sites have been quietly updating their protocols while others have been noting the flaw does not affect their services. The good news is a lot of enterprise level services, along with Apple, BlackBerry, and Microsoft are not affected by Heartbleed.
The bad news is that services like Yahoo! and other tech sites like Ars Technica were affected by it. Both companies have updated their sites though so if you have not already, now is probably a good time to change your password for the services you might use there. If you have not been following the story closely, then you should know a patch has been created and implemented, but no one is sugar-coating this development, Heartbleed is catastrophic.
Even Google was touched by it, Android used a vulnerable version of OpenSSL but the “heartbeat” extension that was used was deactivated when Android 4.1 was released. What about the rest of the mobile landscape? How deep might the impact be? Us as mobile users have a lot to be concerned about, and we need to be diligent because the fix is totally out of our hands.
What we know
Here is what we know, any one of us that has ever downloaded an app from the App Store, Google Play, Windows Store, et al, is at risk. If any of the apps you use have any type of connectivity to a secure server to store and reconcile data, chances are the Heartbleed vulnerability has been in the picture for at least the last couple of years.
What we don't know
What we do not know is what specific applications might have been compromised on the server side and if any data was stolen as a result. That data could be username and password information, bank accounts, or even VoIP calls used through a messaging app. Heartbleed was a “sky’s the limit” hole, triggered by a small script centered on a mere 64k area of memory on a given server with virtually no evidence of anything going wrong.
What is also completely unknown is how big this issue will end up being in the mobile space. There is far more mobile users than in the traditional computer space. There is also little-to-no-information being disseminated that brings the necessary “consumer” awareness to the issue. Heartbleed is not an OS issue, or even a browser issue, it is a fault in the security layer in how just about everyone conducts business on the internet.
TrendMicro conducted a scan of nearly 400,000 apps in Google Play. About 7,000 apps, including 15 banking apps, 39 online payment apps, and 10 online shopping apps were connecting to vulnerable servers. Sure, you could say that is less than 2%, but what a 2% it could be. Banks like Bank of America, USAA and Citi all had to update their security certificates.
The worst part of all this is that there is nothing you can do to fix the problem, short of not using online banking or making internet purchases. Until the services we use have said they have fixed the issue on their end, you might want to contact them to be sure, or hold off on using the service for a while.
See the reference link below to check if one of the sites you visit was affected by Heartbleed. For the services that have fixed the vulnerability, a change of password is all it should take. Until then…
sources: Forbes and TrendMicro
reference: LastPass Heartbleed Checker
UPDATE: There is clearly some confusion about what this Heartbleed issue is. On the Open Standards Interconnection model (OSI), there are seven characteristics, or layers, that function within a communication system, like the internet.
The first is the “physical layer,” this is the wires in the ground, on the tower, switchgear in the closet. Your router is part of the physical layer.
Next is the “data link layer,” this is what enables a connection between nodes. Then there is the “network layer” which is the functional means by which the connections are able to communicate.
The “transport layer” is the actual packet later, the data bits themselves, TCP, IP addresses, etc. This is the layer where the Heartbleed vulnerability resided. This is why it did not matter what browser you were using, what operating system you were on, or whether you were using a PC or smartphone.
The layers above the transport layer are session, presentation and finally, application (HTTP). That should ring immediately clear that if a server on the other end of an app you are using has not been patch, then you can consider that data as compromised. The TCP/IP model, known as the internet protocol suite has four layers, the transport layer sharing the same definitions.