Light Reading

Mobile Apps Susceptible to Heartbleed, Too

Sarah Thomas
4/14/2014
50%
50%

It's not just Internet infrastructure that's susceptible to Heartbleed, one of the most pervasive OpenSSL security threats in some time. Mobile apps may also be at risk, and several firms are offering warnings and patches to safeguard consumer phones.

The Heartbleed bug is a software flaw discovered last week in the OpenSSL "Heartbeats" function that helps keep secure Internet connections alive. The bug could potentially let cyber criminals steal endless amounts of personal data.

While concern was initially for vulnerable websites, researchers are now warning that both Google (Nasdaq: GOOG) and Apple Inc. (Nasdaq: AAPL)'s mobile operating systems could be at risk as well. As such, BlackBerry said on Monday that it would release security updates for its messaging software on Android and iOS devices by the end of the week.

BlackBerry devices themselves don't use the at-risk software, but the company tells Reuters it needs to update its Secure Work Space corporate email and BBM messaging program that are in use on Android and iOS. The risk level may be relatively low, but the company says it could infect those who use the apps either on WiFi or over the cellular network.

Technically, any app that uses the OpenSSL code is susceptible to the Heartbleed bug. Mobile security provider Lookout has put out a Heartbleed Detector app that, when downloaded by a mobile phone user, can determine what version of OpenSSL the device is using and check to see if the vulnerable feature in Hearbeats is enabled. It can't do anything about it -- that's up to Google or the device maker -- but it does alert consumers to the potential for harm.

Since the bug was unearthed, there haven't been reports of widespread damage, but it could only be a matter of time. In the meantime, companies from operators to network equipment makers to software providers are working hard to develop patches and upgrades so consumers aren't affected. (See Cisco, Juniper Treating Gear Against Potential Heartbleed and Eurobites: Telenor Counters Heartbleed Threat.)

Lookout suggests that consumers should also change their passwords, but not until told to by their individual service providers, as the vulnerability pulls data from the active memory of the affected systems, so any attackers might still have access to a new password as well.

— Sarah Reedy, Senior Editor, Light Reading

(14)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
Page 1 / 2   >   >>
SarahReedy
50%
50%
SarahReedy,
User Rank: Blogger
4/18/2014 | 3:27:03 PM
Lookout Data

Lookout has new data out from the 10,000 people who downloaded its app and agreed to share their results:

-- "Devices running Android 4.1.1 are predominantly the ones that are vulnerable, but there are also a handful running 4.2.2

-- The Evo, HTC One S and HTC One X are the 3 most popular vulnerable smartphones

-- Regions of the world vary in their level of risk. 

Here you'll find a slideshare which includes full details and the next steps on what to do if your device is vulnerable."

SarahReedy
50%
50%
SarahReedy,
User Rank: Blogger
4/17/2014 | 12:42:43 PM
Wireless okay
More updates today from AT&T, SPrint, Verizon and T-Mobile suggest they have not been affected and are taking the necessary precautions, so rest easy (but not TOO easy). 
Mitch Wagner
50%
50%
Mitch Wagner,
User Rank: Lightning
4/16/2014 | 4:33:56 PM
Re: More malware
I know, right?! EVERYBODY PANIC!!

According to that most reliable of sources, Some Guy On Reddit, iOS doesn't use OpenSSl and is therefore not susceptible, although apps might be susceptible. 
SarahReedy
50%
50%
SarahReedy,
User Rank: Blogger
4/15/2014 | 6:28:25 PM
Re: More malware
Of course, that makes sense, just like PR people latch on to events ilke this to pitch semi-related companies. I'd hope FireEye isn't making up viruses though...seems like new strands are found every day.
SarahReedy
50%
50%
SarahReedy,
User Rank: Blogger
4/15/2014 | 6:27:15 PM
Re: More malware
Thanks for the heads up, Malcom. I hope Apple issues that patch soon too.
SarahReedy
50%
50%
SarahReedy,
User Rank: Blogger
4/15/2014 | 6:26:10 PM
Re: More malware
Yikes, I guess it's starting then.
Mitch Wagner
50%
50%
Mitch Wagner,
User Rank: Lightning
4/15/2014 | 4:50:07 PM
Re: More malware
Attackers used Heartbleed to break into the Canada Revenue Agency.
Phil_Britt
50%
50%
Phil_Britt,
User Rank: Light Sabre
4/15/2014 | 2:48:01 PM
Re: More malware
To me the FireEye notification seems to be somewhat self-serving. McAfee also sent out notices, but also said that their software is not designed to protect against this type of vulnerability. It's good to get notices out, but I'm cautious any time the notice comes from someone seeking to sell a solution.
MalcolmTucker
50%
50%
MalcolmTucker,
User Rank: Light Beer
4/15/2014 | 2:39:12 PM
Re: More malware
I was performing some research into this.  Apparently, the APPLE "Airport Utility" which comes as standard software with all Mac Computers, uses the OpenSSL library. 

This is in the acknowledgements and licensing agreement feature within the Airport Utility itself.

Because the code hasn't been verified to be vulnerable, it may be best to take the Airport Utility (Located in the "Utilities" folder) and place it into the trashcan.  Apple's culture is one of secrecy and to not disclose issues until a patch is released.

Because Apple and everybody was blindsighted, it's probably best to place the Airport Utility into the trash.

Airport controls WiFi connections to Apple's own WiFi routers.  You should be able to connect to the internet, and configure your router if you use the Apple iPhone or iPad configuration app; then delete the app on your ipad until you need it again.
SarahReedy
50%
50%
SarahReedy,
User Rank: Blogger
4/15/2014 | 12:59:07 PM
Re: More malware
Yeah, it seems like most of the patches will be out in time, but we really don't know. I haven't gotten any notifications from service providers about actions to take. I was going to just change all my passwords, but sounds like that's not the wisest move, according to Lookout.
Page 1 / 2   >   >>
Educational Resources
sponsor supplied content
Educational Resources Archive
From The Founder
Light Reading sits down at CES with the head of Cisco's service provider video business, Conrad Clemson, to discuss how NFV and cloud security relate to video, the challenge of managing 4K/8K traffic, the global expansion of Netflix and virtual reality.
Flash Poll
Live Streaming Video
CLOUD / MANAGED SERVICES: Prepping Ethernet for the Cloud
Moderator: Ray LeMaistre Panelists: Jeremy Bye, Leonard Sheahan
LRTV Documentaries
EANTC Tests Nokia IP Routing & Mobile Gateway VNFs for Real World Deployment

2|9|16   |   5:08   |   (0) comments


Nokia obtained validation of its virtualized router and virtualized mobile gateway capabilities through rigorous testing performed by EANTC. The results set a new industry benchmark for outstanding performance, scalability, resiliency and manageability. Nokia VNFs are ready for telco cloud deployment, so that service providers can accelerate mobile, business and ...
Between the CEOs
CEO Chat With Level 3's Jack Waters

2|8|16   |   26:15   |   (1) comment


Light Reading CEO and founder Steve Saunders sits down with Level 3 Communications' CTO Jack Waters to discuss hot topics like virtualization, 4K and the future of telecom...
LRTV Custom TV
The Composable Telco

2|8|16   |   24:46   |   (0) comments


Heavy Reading's Principal Analyst Caroline Chappell presents the keynote at Light Reading's 2020 Vision Executive Summit in Dublin.
LRTV Custom TV
Join Us at the Digital Operations Transformation Summit

2|4|16   |   03:52   |   (0) comments


The Digital Operations Transformation Summit on February 21, 2016 at the Crowne Plaza Barcelona Fira Centre will bring together 50 senior executives to engage in a unique debate on the opportunities and challenges presented by the transformative evolving digital landscape. RSVP now at events@lightreading.com.
LRTV Custom TV
Making the Test: ADVA Ensemble Connector vs. Open vSwitch

2|4|16   |   01:28   |   (0) comments


Light Reading, in partnership with EANTC, recently tested ADVA's Ensemble Connector, which replaces open vSwitch and offers carrier-grade capability and interoperability. The test results strengthen ADVA's credibility as a provider in the virtualization space.
LRTV Custom TV
Bridging the Gap Between PoCs & Deployment in NFV

2|4|16   |   31:50   |   (0) comments


Charlie Ashton of Wind River presents the keynote at Light Reading's 2020 Vision executive summit in Dublin.
Between the CEOs
CEO Chat With Mike Aquino

2|3|16   |   17:34   |   (0) comments


The former CEO of Overture Networks, Mike Aquino, discusses why truly open virtualization solutions provide service providers with the greatest choice.
Shades of Ray
MWC: Buckle Up for 5G & the IIoT

2|2|16   |   02:28   |   (0) comments


This year's Mobile World Congress looks set to be a 5G land grab and a chance to get down and dirty with the Industrial Internet of Things (IIoT) – but what will the 5G discussions actually be about?
LRTV Custom TV
Case Study: Building China's Next-Gen TV Networks

2|2|16   |   5:01   |   (0) comments


With over 2 billion viewers worldwide, Shenzhen Media Group is one of China's largest content producers. By partnering with Huawei and Sobey, SZMG was able to modernize media operations with the Converged News Center, a production studio that is a model for next-generation workflows.
LRTV Custom TV
Quad Channel Modulator Driver with 46 Gbaud Capability from MACOM

1|28|16   |     |   (0) comments


MACOM's MAOM-003427 is the industry's first surface-mount modulator driver with 46 Gbaud capability to support next generation 200G and 400G applications.
LRTV Custom TV
Video Infographic: Validating Cisco's NFV Infrastructure

1|26|16   |   02:24   |   (1) comment


We all know that the network of the future will be virtual, but when will virtual become a reality? This video infographic covers the four key areas in which Light Reading, in partnership with EANTC, tested Cisco's NFV infrastructure: performance, reliability, multi-service capabilities and single pane of glass management.

For the full report, see

Between the CEOs
CEO Chat With Phil McKinney, CableLabs

1|22|16   |   13:36   |   (1) comment


At CES in Las Vegas, we met with Phil McKinney, CEO of CableLabs. Phil provides an update on the rollout of DOCSIS 3.1, his views on the future of open source and how consumer interest in virtual reality could affect network traffic.
Upcoming Live Events
March 10, 2016, The Cable Center, Denver, CO
April 5, 2016, The Ritz Carlton, Charlotte, NC
May 23, 2016, Austin, TX
May 24-25, 2016, Austin Convention Center, Austin, TX
All Upcoming Live Events
Hot Topics
Google's 5G Radio Ambitions Are Expanding
Dan Jones, Mobile Editor, 2/5/2016
Cincinnati Bell Joins Weight Watchers Club
Alan Breznick, Cable/Video Practice Leader, 2/5/2016
Yahoo & Verizon Sitting in a Tree...
Brian Santo, Senior editor, Test & Measurement / Components, Light Reading, 2/8/2016
Vodafone: Flexible Work Policies Boost Profits
Sarah Thomas, Editorial Operations Director, 2/8/2016
It's Time to Integrate OTT Video
Alan Breznick, Cable/Video Practice Leader, 2/8/2016
Like Us on Facebook
Twitter Feed
Webinar Archive
BETWEEN THE CEOs - Executive Interviews
Light Reading CEO and founder Steve Saunders sits down with Level 3 Communications' CTO Jack Waters to discuss hot topics like virtualization, 4K and the future of telecom...
The former CEO of Overture Networks, Mike Aquino, discusses why truly open virtualization solutions provide service providers with the greatest choice.
Animals with Phones
Retro Is the Way to Be Click Here
Some animals are too cute for smartphones.
Live Digital Audio

Broadband speeds are ramping up across Europe as the continent, at its own pace, follows North America towards a gigabit society. But there are many steps to take on the road to gigabit broadband availability and a number of technology options that can meet the various requirements of Europe’s high-speed fixed broadband network operators. During this radio show we will look at some of the catalysts for broadband network investments and examine the menu of technology options on offer, including vectoring and G.fast for copper plant evolution and the various deployment possibilities for FTTH/B.