Lagging Android devices vulnerable to Heartbleed

Lagging Android devices vulnerable to Heartbleed

Summary: Lack of patches and upgrade paths for Android is leaving devices vulnerable to Heartbleed exploits, security researchers from the SANS Institute and Sophos have said.

TOPICS: Security, Android

The precise impact of the Heartbleed OpenSSL security bug is becoming clearer. Client-side applications can be vulnerable too, not just servers — particularly those running on Android 4.1.x. But evidence is emerging that if anyone else knew about the bug in the two years that it's existed, it was a "limited constituency".

The security researchers who presented the third Heartbleed briefing for the SANS Institute's Internet Storm Centre (ISC), held on Friday morning Australian time (Thursday afternoon US time), confirmed early impressions that the bug is serious, but held back from equating it with the widespread internet worms of early last decade, such as Code Red and Slammer.

"Code Red was at least as serious as Heartbleed, plus I didn't have to wait for the luck of the draw to get the right 64k," said SANS ISC chief technology officer Johannes Ullrich — a reference to the fact that while Heartbleed can allow an attacker to repeatedly extract 64 kilobyte chunks of server memory, they have no control over which chunk they get.

But malware researcher Jake Williams, a principal consultant at CSRgroup Computer Security Consultants, only partially agreed.

"On the other hand, we have a much higher population of vulnerable servers, as well as a large number of vulnerable client-side applications, the full list yet to be determined", Williams said. "There was zero chance that my Android phone was going to be vulnerable to Slammer" — if Android had been around then, of course — "whereas with [Heartbleed], there's a pretty good possibility."

It's currently believed that Android versions 4.1.0 and 4.1.1 are vulnerable to Heartbleed, although some reports indicate that only 4.1.1 is vulnerable.

More than one-third of operational Android devices are still running version 4.1.x, Williams said. "If you're running Android this early, you are still also probably owned, unfortunately," he said, referring to the Blackhole exploit kit.

Unlike most Linux distributions, which the researchers praised for issuing OpenSSL patches promptly, they were scathing of Android for the availability of patches being "a little bit less than desired", as Williams put it.

James Lyne, global head of security research with Sophos, put it more strongly. "A lot of that isn't so much the user population. In many cases it's the providers, not of the hardware but the telcos who aren't being responsible," he said.

Meanwhile, the SANS Institute's presenters are escalating their criticism of organisations' lack of communication about their exposure to Heartbleed. Banks in particular came under fire, with special mention given to USAA, the United Services Automobile Association — both congratulation for issuing an advisory, but criticism for information that was "sub-standard".

"I want to clarify that this is one of the few banks that I've been able to locate one of the these statements for at all," Williams said. "We really appreciate the fact that they're taking measures against Heartbleed." But USAA's advisory note was apparently written by a PR person with no actual security knowledge.

"We have already taken measures to help prevent a data breach and implemented a patch earlier this week," the bank said. But according to Williams, the SSL certificate currently being presented by the bank was generated on 4 December 2012.

"Now, if they were indeed vulnerable, and they needed to patch, it scares me a little bit that they didn't re-issue the certificate after the patch. Definitely a 'Must try harder', a C-minus," Williams said. "They're leading the pack with mediocrity, and that should scare everybody in the room."

But do vulnerable organisations really need to revoke all of their SSL certificates, generate new private encryption keys and issue new certificates?

The issue, says Ullrich, is that Heartbleed is about memory leaks, data that's on the server — and some of that memory may contain the private encryption key.

"The key question about risk, therefore, is: What is the probability that an attacker will end up with the secret key? I don't care if someone steals a session ID. That was yesterday. That session had better no longer be any good.

"If someone steals a password, it's your password, it's not mine, so I'm fine ... If you used the same password for another site, not my problem.

"The chances of actually having the secret keys exposed is the highest just after the server starts up. That's when you have the secret keys most likely in the right location for it to be exposed."

Ullrich says SANS ISC has been receiving enquiries from systems administrators saying that they've patched their vulnerable servers promptly, and wondering whether they still need to regenerate keys and certificates.

"If you patched on the seventh, the evening the vulnerability came out, [US] Eastern Time, that argument I think may apply. If you had honeypots running on the eighth, scanning [for vulnerable servers] picked up really quickly against random sites.

"Before the seventh, if the exploit was known, it was known to a limited constituency. They probably didn't scan your personal blog, so you may be a little bit good there.

"If you didn't patch on the eighth, you patched on the ninth, your server was scanned. You can assume that someone tried to extract data. What they got, you don't know."

Many data leak prevention (DLP) systems don't monitor TCP port 443, the port used by HTTPS/SSL, because the data is generally encrypted anyway and DLP isn't going to work, Ullrich said.

However most certificate authorities (CAs) are allowing customers to revoke and re-issue certificates free of charge, at least within the validity period of the original certificate. StartSSL is one of the few exceptions, but even then, their fee for revoking and re-issuing a certificate is only US$25.

"What it comes down to is, is 25 bucks worth the risk?" Ullrich said.

"Overall, I would say you probably do want to replace your key if you didn't patch on the seventh [and] you can't go at least back a week through your data to double-check if the key has leaked," he said.

"Don't panic. Do it deliberately. That's the problem here, if you roll your keys quickly, you may not do it right."

Finally, Lyne warned that criminals are starting to take advantage of Heartbleed's high media profile.

"Through today, the cyber criminals really wised up to the fact that this was an interesting topic for the mainstream media, beyond being an interesting bug. So we've started seeing lots of spam messages about Heartbleed being used as a mechanism to distribute other malicious code and scams." he said.

Topics: Security, Android


Stilgherrian is a freelance journalist, commentator and podcaster interested in big-picture internet issues, especially security, cybercrime and hoovering up bulldust.

He studied computing science and linguistics before a wide-ranging media career and a stint at running an IT business. He can write iptables firewall rules, set a rabbit trap, clear a jam in an IBM model 026 card punch and mix a mean whiskey sour.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion

    • Freedom

      • That's not free either

        Freedom sometimes requires sacrifices, even from civilians; and not just in wartime.
        John L. Ries
  • To all ANDROID USERS out there that Care about SECURITY & PRIVACY....

    ------------ AppLock-----------------
    Most downloaded app lock in Play Store
    ★ #1 App lock in over 50 countries.
    ★ Over 40 Million users, supporting 24 languages.

    ☞ AppLock can lock SMS, Contacts, Gmail, Facebook, Gallery, Market, Settings, Calls and any app you choose, with abundant options, protecting your privacy.
    ☞ AppLock can hide pictures and videos, AppLock empowers you to control photo and video access. Selected pictures vanish from your photo gallery, and stay locked behind an easy-to-use PIN pad. With AppLock, only you can see your hidden pictures. Privacy made easy!

    ★ With the help of App Lock, you may:
    Never worry about a friend borrow your phone to play games again!
    Never worry about a workmates get your phone to have a look again!
    Never worry about private data in some apps may be read by someone again!
    Never worry about your kids may changing phone's Settings, paying games, messing up it again!

    1) How to change password?
    Open AppLock, left menu , settings, Unlock Settings

    2) I hide AppLock icon, how to open AppLock now?
    There are two ways to open it:

    1. dial pad

    enter #password in your dial pad, and tap call button to open AppLock.

    2. Browser open this website in your browser,

    3) How to stop other people uninstall AppLock?
    Please enable Advanced Protection in settings of AppLock, so nobody can uninstall or kill AppLock without password.
    You can disable Advanced Protection in settings, when you don't want it.

    4) How to uninstall AppLock?
    After you enable Advanced Protection, nobody can uninstall AppLock without password. If you want to uninstall it, open AppLock, left menu, scroll down to last item, tap the uninstall item to delete AppLock.

    5) I forgot my password,How to find it?

    Tap AppLock icon to start AppLock.
    If you are using pattern lock, please change to number lock.
    Tap the 'forgot password' or '?' .

    If you remember security answer, you can reset your password by security answer.
    Enter your security answer.
    Reset your password.

    If not, you can reset your password by your security email.
    Get reset code from the app to reset your password.

    6) I can not move in/out my photo in the vault.
    Please check you internal storage space, if only 10% free ,system will not let us to move file in to vault.

    7) Account Type
    There are three types of account in the Applock;

    1) Premium: paid, premium features , no ad.
    2) AD: free , premium features , ad.
    3) Basic: free, no ad , no premium features.

    You can choose your account in Account Center. first item in Left menu.

    ---- Features ---
    • Protects any apps using password or pattern
    • Photo Vault, hide pictures
    • Video Vault, hide videos
    • Customize background, set your favorite photo
    • Themes
    • Fake cover
    • Profiles, easy to change the locks
    • Automatic lock at given time
    • Automatic lock at given location
    • Random keyboard
    • Lock switch(WiFi,BT,3G/4G Data...)
    • Widget for quick locking/unlocking
    • Locks incoming or outgoing calls
    • Lock system Settings
    • Lock Google Play Store
    • Quick lock switcher on status bar
    • Re-lock policy: allow short exit, no need to unlock again
    • Prevent apps from being uninstalled
    • Hide AppLock's icon from launcher
    • AppLock can be prevented from being uninstall
    • AppLock cannot be killed by task killers
    • Little memory footprint and power-saving

    Feel free to send your feedback to us!

    AppLock will Protect Your Privacy.

    Google+ :
  • ....DROIDWALL...& Android Device Manager

    -------- Android Device Manager --------
    Ever misplaced or lost your phone? Android Device Manager locates lost devices and helps you keep your device—and the data inside it—safe and secure. Android Device Manager lets you:

    ● Locate Android devices associated with your Google account
    ● Reset your device's screen lock PIN
    ● Erase all data on the phone
  • Just more security holes intentionally created...

    by open source murdering filth. How many more must die before people realize free software isn't free.
    • Re: Just more security holes intentionally created...

      Sea kelp.
      Honeyboy Wilson
    • This is precicely why...

      ...flagging should be more than simply registering disapproval. As it stands, moderators end up wasting all sorts of time looking at posts that don't need to be taken down, resulting in posts like this one remaining in place.

      Down-voting should be a separate function than flagging and flagging should require a stated reason. In this case, accusing open source developers of murder as a group when only Hans Reiser has been convicted of that particular crime is *way* over the line.

      And again, I will commit an act of blatant censorship and suggest that the Jackbond account be deleted.
      John L. Ries

    Using 2-step verification
  • Android Heartbleed FUD

    I've tested 4.1.1 on a few devices ( Asus Transformer TF300 and Nexus 7 and Galaxy Note)
    They DO have OpenSSL 1.0.1c which conatins the vulnerable CODE.
    BUT, and it's a VERY IMPORTANT BUT, the heartbeat functiion is DISABLED in the SSL transport.
    I have tested over 20 implementations of Android from 2.2 to 4.4 including 4.1.1 in particular and have not found any with the heartbeat function ENABLED.
    From my sample size testing, it seems that Android 4.1.1 is NOT vulnerable to heartbleed by virtue of the heartbeat function being not active.

    Great article. I've written a post on my blog that talks about which methods you can employ to protect yourself from this dangerous bug. Make sure you check it out, this situation is very serious: