& cplSiteName &

Mobile Apps Susceptible to Heartbleed, Too

Sarah Thomas
4/14/2014
50%
50%

It's not just Internet infrastructure that's susceptible to Heartbleed, one of the most pervasive OpenSSL security threats in some time. Mobile apps may also be at risk, and several firms are offering warnings and patches to safeguard consumer phones.

The Heartbleed bug is a software flaw discovered last week in the OpenSSL "Heartbeats" function that helps keep secure Internet connections alive. The bug could potentially let cyber criminals steal endless amounts of personal data.

While concern was initially for vulnerable websites, researchers are now warning that both Google (Nasdaq: GOOG) and Apple Inc. (Nasdaq: AAPL)'s mobile operating systems could be at risk as well. As such, BlackBerry said on Monday that it would release security updates for its messaging software on Android and iOS devices by the end of the week.

BlackBerry devices themselves don't use the at-risk software, but the company tells Reuters it needs to update its Secure Work Space corporate email and BBM messaging program that are in use on Android and iOS. The risk level may be relatively low, but the company says it could infect those who use the apps either on WiFi or over the cellular network.

Technically, any app that uses the OpenSSL code is susceptible to the Heartbleed bug. Mobile security provider Lookout has put out a Heartbleed Detector app that, when downloaded by a mobile phone user, can determine what version of OpenSSL the device is using and check to see if the vulnerable feature in Hearbeats is enabled. It can't do anything about it -- that's up to Google or the device maker -- but it does alert consumers to the potential for harm.

Since the bug was unearthed, there haven't been reports of widespread damage, but it could only be a matter of time. In the meantime, companies from operators to network equipment makers to software providers are working hard to develop patches and upgrades so consumers aren't affected. (See Cisco, Juniper Treating Gear Against Potential Heartbleed and Eurobites: Telenor Counters Heartbleed Threat.)

Lookout suggests that consumers should also change their passwords, but not until told to by their individual service providers, as the vulnerability pulls data from the active memory of the affected systems, so any attackers might still have access to a new password as well.

— Sarah Reedy, Senior Editor, Light Reading

(14)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
Page 1 / 2   >   >>
Sarah Thomas
50%
50%
Sarah Thomas,
User Rank: Blogger
4/18/2014 | 3:27:03 PM
Lookout Data

Lookout has new data out from the 10,000 people who downloaded its app and agreed to share their results:

-- "Devices running Android 4.1.1 are predominantly the ones that are vulnerable, but there are also a handful running 4.2.2

-- The Evo, HTC One S and HTC One X are the 3 most popular vulnerable smartphones

-- Regions of the world vary in their level of risk. 

Here you'll find a slideshare which includes full details and the next steps on what to do if your device is vulnerable."

Sarah Thomas
50%
50%
Sarah Thomas,
User Rank: Blogger
4/17/2014 | 12:42:43 PM
Wireless okay
More updates today from AT&T, SPrint, Verizon and T-Mobile suggest they have not been affected and are taking the necessary precautions, so rest easy (but not TOO easy). 
Mitch Wagner
50%
50%
Mitch Wagner,
User Rank: Lightning
4/16/2014 | 4:33:56 PM
Re: More malware
I know, right?! EVERYBODY PANIC!!

According to that most reliable of sources, Some Guy On Reddit, iOS doesn't use OpenSSl and is therefore not susceptible, although apps might be susceptible. 
Sarah Thomas
50%
50%
Sarah Thomas,
User Rank: Blogger
4/15/2014 | 6:28:25 PM
Re: More malware
Of course, that makes sense, just like PR people latch on to events ilke this to pitch semi-related companies. I'd hope FireEye isn't making up viruses though...seems like new strands are found every day.
Sarah Thomas
50%
50%
Sarah Thomas,
User Rank: Blogger
4/15/2014 | 6:27:15 PM
Re: More malware
Thanks for the heads up, Malcom. I hope Apple issues that patch soon too.
Sarah Thomas
50%
50%
Sarah Thomas,
User Rank: Blogger
4/15/2014 | 6:26:10 PM
Re: More malware
Yikes, I guess it's starting then.
Mitch Wagner
50%
50%
Mitch Wagner,
User Rank: Lightning
4/15/2014 | 4:50:07 PM
Re: More malware
Attackers used Heartbleed to break into the Canada Revenue Agency.
Phil_Britt
50%
50%
Phil_Britt,
User Rank: Light Sabre
4/15/2014 | 2:48:01 PM
Re: More malware
To me the FireEye notification seems to be somewhat self-serving. McAfee also sent out notices, but also said that their software is not designed to protect against this type of vulnerability. It's good to get notices out, but I'm cautious any time the notice comes from someone seeking to sell a solution.
MalcolmTucker
50%
50%
MalcolmTucker,
User Rank: Light Beer
4/15/2014 | 2:39:12 PM
Re: More malware
I was performing some research into this.  Apparently, the APPLE "Airport Utility" which comes as standard software with all Mac Computers, uses the OpenSSL library. 

This is in the acknowledgements and licensing agreement feature within the Airport Utility itself.

Because the code hasn't been verified to be vulnerable, it may be best to take the Airport Utility (Located in the "Utilities" folder) and place it into the trashcan.  Apple's culture is one of secrecy and to not disclose issues until a patch is released.

Because Apple and everybody was blindsighted, it's probably best to place the Airport Utility into the trash.

Airport controls WiFi connections to Apple's own WiFi routers.  You should be able to connect to the internet, and configure your router if you use the Apple iPhone or iPad configuration app; then delete the app on your ipad until you need it again.
Sarah Thomas
50%
50%
Sarah Thomas,
User Rank: Blogger
4/15/2014 | 12:59:07 PM
Re: More malware
Yeah, it seems like most of the patches will be out in time, but we really don't know. I haven't gotten any notifications from service providers about actions to take. I was going to just change all my passwords, but sounds like that's not the wisest move, according to Lookout.
Page 1 / 2   >   >>
Educational Resources
sponsor supplied content
Educational Resources Archive
Light Reading’s Upskill U is a FREE, interactive, online educational resource that delivers must-have education on themes that relate to the overall business transformation taking place in the communications industry.
NEXT COURSE
Wednesday, September 14, 1:00PM EDT
What Is Agile?
Kent J. McDonald, Product Owner, Agile Alliance
UPCOMING COURSE SCHEDULE
Friday, September 16, 1:00PM EDT
How to Implement Agile
Alan Bateman, Director, Agile Transformation
Wednesday, September 21, 1:00PM EDT
What Is DevOps?
Colin Kincaid, CTO, Service Provider, Cisco
Friday, September 23, 1:00PM EDT
How to Implement DevOps
,
in association with:
From The Founder
Light Reading today starts a new voyage as part of a larger Enterprise.
Flash Poll
Live Streaming Video
Charting the CSP's Future
Six different communications service providers join to debate their visions of the future CSP, following a landmark presentation from AT&T on its massive virtualization efforts and a look back on where the telecom industry has been and where it's going from two industry veterans.
Between the CEOs
CEO Chat: UXP Systems' Gemini Waghmare

8|26|16   |     |   (0) comments


Light Reading CEO Steve Saunders and UXP Systems CEO Gemini Waghmare discuss the strategic importance of digital identity for operators in the midst of transformation.
LRTV Custom TV
F5 Virtual Network Function Integrations With Partner Orchestration Platform

8|24|16   |   6:38   |   (0) comments


F5's Kishore Patnam, product manager for F5's service provider solutions, discusses why service providers are moving towards virtualization and how his clients are utilizing F5's solutions.
Between the CEOs
CEO Chat: Intel's Alexis Black Bjorlin

8|17|16   |   06:23   |   (0) comments


Join us for an in-depth interview between Steve Saunders of Light Reading and Alexis Black Bjorlin of Intel as they discuss the release of the company's Silicon Photonics platform, its performance, long-term prospects, customer expectations and much more.
Telecom Innovators Video Showcase
Accelerating Telecom Digital Transformation With Nominum DNS

8|1|16   |   12:04   |   (0) comments


Light Reading's Steve Saunders gets an update from Nominum CEO Gary Messiana on how his company is helping carriers on the digital transformation journey.
LRTV Custom TV
Reinventing Operations for a Virtual, Software-Defined World

7|28|16   |   5:23   |   (0) comments


Heavy Reading Senior Analyst Jim Hodges speaks with Accenture's Larry Socher and Matt Anderson about what service providers must do to transform their business to get the benefits of SDN and NFV including: leveraging DevOps, introducing real-time OSS and implementing analytics.
Women in Comms Introduction Videos
Fujitsu Sales Leader Shares Lessons Learned

7|27|16   |   5:12   |   (1) comment


As Fujitsu's only female sales leader, Annie Bogue knows the importance of asking for what you want, being flexible (she's been relocated five times), keeping a meticulous calendar, 'leaning in,' working harder than everyone else around you, being aware and more.
Telecom Innovators Video Showcase
VeEX Test & Measurement Solutions

7|25|16   |   08:57   |   (0) comments


Cyrille Morelle, president and CEO of VeEX Inc., talks test and measurement with Light Reading's Steve Saunders at BCE 2016. This includes innovative products such as VeSion Cloud-Based platform for network monitoring; MTTplus Modular Test platform for Access, Business, Carrier Ethernet, Transport and Core services; and OPX-BOX+ for Fiber Optics.
LRTV Custom TV
VeEX: Live From BCE 2016

7|25|16   |   03:20   |   (0) comments


VeEX's Senior Director of Business Development, Perry Romano, explains how VeEX provides tools to help install, maintain, monitor and manage network infrastructure efficiently and effectively. The portfolio of products on display include the RXT-6000, MTTplus and TX300s.
LRTV Custom TV
Real-Time Telemetry & Analytics for Intelligent SDN Orchestration

7|25|16   |   03:09   |   (0) comments


Packet Design CEO Scott Sherwood discusses how real-time network telemetry and analytics are enabling a new breed of SDN orchestration applications.
From the Founder
The Russo Report: Driving Disruption

7|25|16   |   07:44   |   (2) comments


In the first episode of a four-part series, Light Reading Founder and CEO Steve Saunders and Calix President and CEO Carl Russo drive around town discussing the disruptive mega-changes in the communications industry and where hope lies for service providers to meet the escalating demands of the cloud.
LRTV Custom TV
NetScout: Maximizing Enterprise Cloud for Digital Transformation

7|20|16   |   04:53   |   (0) comments


Light Reading Editor Mitch Wagner talks to NetScout CMO Jim McNiel about maximizing the benefits of enterprise cloud and digital transformation while minimizing potential pitfalls with a proper monitoring and instrumentation strategy.
Women in Comms Introduction Videos
Ciena's VP Offers a Career Crash Course

7|20|16   |   4:14   |   (2) comments


How did Ciena's Vice President of Sales, Angela Finn, carve out her career path? Simple, she tells WiC. She stayed true to her company, customers and principles. She shares her advice for women on how to be authentic and credible, as well as for companies that want to make a real change to their culture and practices.
Upcoming Live Events
September 13-14, 2016, The Curtis Hotel, Denver, CO
November 3, 2016, The Montcalm Marble Arch, London
November 30, 2016, The Westin Times Square, New York City
December 1, 2016, The Westin Times Square, New York, NY
December 6-8, 2016, The Westin Excelsior, Rome
May 16-17, 2017, Austin Convention Center, Austin, TX
All Upcoming Live Events
Infographics
Hot Topics
Cisco Developing 'Monica' Digital Assistant
Mitch Wagner, West Coast Bureau Chief, Light Reading, 8/22/2016
FirstNet: A Billion-Dollar Boondoggle?
Dan Jones, Mobile Editor, 8/26/2016
WiCipedia: Should Men Be Included? & Olympians Face Discrimination
Eryn Leavens, Special Features & Copy Editor, 8/26/2016
Google Fiber Can't Be Called a Failure
Carol Wilson, Editor-at-large, 8/26/2016
Google Fiber Downsizing Not Confirmed
Mari Silbey, Senior Editor, Cable/Video, 8/25/2016
Like Us on Facebook
Twitter Feed
BETWEEN THE CEOs - Executive Interviews
Light Reading CEO Steve Saunders and UXP Systems CEO Gemini Waghmare discuss the strategic importance of digital identity for operators in the midst of transformation.
Join us for an in-depth interview between Steve Saunders of Light Reading and Alexis Black Bjorlin of Intel as they discuss the release of the company's Silicon Photonics platform, its performance, long-term prospects, customer expectations and much more.
Animals with Phones
Live Digital Audio

Bridging the tech skills gap is a major challenge for service providers and suppliers alike today – and the challenge is two-fold when it comes to increasing the number of women in the comms space. Level 3 Communications has made it a priority to overcome both challenges by implementing several unique programs focused on building the right candidates from within – in addition to filling the funnel by supporting STEM and other education programs. During this radio show, you’ll learn about these programs from Mary Beth McGrath, SVP of Global Talent Management at Level 3, and the best ways to bridge your own skills gap so that you are motivated and equipped for change. Plus you’ll have the chance to ask Mary Beth your questions live on the air.