Just when it was thought to be under control, the U.S. Government issued a statement to users of healthcare.gov that said: “HealthCare.gov uses many layers of protection to secure your information. While there’s no indication that any personal information has ever been at risk, we have taken steps to address Heartbleed issues and reset consumers’ passwords out of an abundance of caution. This means the next time you visit the website, you’ll need to create a new password. We strongly recommend you create a unique password—not one that you’ve already used on other websites.”
The HeartBleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library and allows attackers to eavesdrop on communications, steal data directly from the services and users and impersonate services and users.
There are many lists out there of what sites have been verified as patched. CNET, for example, took the top 100 most popular websites from Alexa’s rankings and sought to confirm status early on, and says it has been updating ever since. McAfee (whose own products were affected) created a tool to check for HeartBleed affected sites.
The HeartBleed vulnerability has hit millions of servers across the Internet, including many which provide web services for mobile applications.
Ryan Smith, Lead Threat Engineer at Mojave Networks, a Silicon-Valley based mobile security startup explained, “Think of mobile applications like specialized web browsers, which connect to special web servers or ‘web services’ all the time to request or store your data in the application. Just like you browse on a website in your web browser, or enter your data into a web form, most mobile applications operate by making similar requests to web services. These web services often use OpenSSL to provide secure communication and many used versions affected by Heartbleed. This means that any data the mobile application sent over a secure connection to a vulnerable web service, may potentially be at risk.”
This includes, but is not limited to, passwords, credit card numbers, financial information, personal information, and—depending on the policy (or lack thereof) and device or app management solution implemented (or lack thereof)—corporate data.
A significant amount of web traffic comes from mobile devices and mobile users are equally at risk when they connect (or have connected) to vulnerable web servers from their mobile device, according to Smith. “This seems obvious but is worth emphasizing, that whether you connect to a vulnerable service via mobile device or PC, your data is equally at risk of compromise,” he said.
Theoretically, those with MDM, MAM, EMM etc. tools in place should be protected. Mike McCarron, VP, Customer Success at MobileIron, Inc. blogged, “MobileIron has reviewed its platform and tested for these “Heartbleed" vulnerabilities. We have confirmed that all released versions of our core technologies – VSP, Sentry, Connector, Atlas, Connected Cloud – are NOT affected by the vulnerability and NO action is required by our customers.”
But, he went on to write, “However, we have a limited number of customers who have an on-premise installation of our BYOD Portal, one of our add-on technologies, and they may be affected depending on which version of OpenSSL their server is running. These customers should check which version they running to see if they are vulnerable. We have confirmed that our hosted version is not vulnerable. Customers can reference this Knowledge Base [customer portal only] article for further details, including recommendations for on-prem BYOD portal remediation steps.”
Gary Gerber, Senior Product Marketing Manager, Good Technology, also blogged about the issue and said, “I’m happy to report that all Good servers and applications are not subject to the HeartBleed vulnerability, but that may not be the case industry-wide.”
In the VMWare blog, now owners of AirWatch, the company stated: “VMware has confirmed that 25 of its products that ship with OpenSSL 1.0.1 have been confirmed to be affected and need patches for the HeartBleed bug. Unfortunately, those patches are not yet ready. VMware has alerted its customers to the fact that they expect to have updated products and patches for all affected products listed in Knowledge Article 2076225 by April 19th.” AirWatch products are on the unaffected list.
BlackBerry’s Senior Vice President, Scott Totzke, told Reuters “that while the bulk of BlackBerry products do not use the vulnerable software, the company does need to update two widely used products: Secure Work Space corporate email and BBM messaging program for Android and iOS.”
Apple issued a firmware update for 2013 AirPort Extreme and AirPort Time Capsule, but said that iOS and Mac OS X were safe.
Additionally, according to Smith, some mobile apps are packaged with vulnerable versions of OpenSSL, which could potentially allow an attacker to access secure information from the mobile device itself. In particular, Google had announced that Android 4.1.1 was vulnerable to the HeartBleed attack, which again would potentially allow an attacker to access secure information from the device itself.
“Users with vulnerable apps installed, or a vulnerable device, could be attacked if they connect to malicious web server. Although this attack vector is less likely to occur, it could allow an attacker to view secure information in the devices memory, which makes the potential risk significant,” said Smith.
Smith recommends mobile users take steps to safeguard their data from the HeartBleed. Step one, if they have not already—users should change their passwords for all accounts. “Although it’s against best practice, many people still reuse their passwords across many different sites, amplifying the effects of such a widespread vulnerability,” he said. While most services have updated their affected systems, it’s worth pointing out, he explained, that users should verify that the service is secure before changing their passwords, otherwise their new password may be equally vulnerable.
Be vigilant about what sites are visited from any device, to avoid falling victim to malicious web services. Attackers are capitalizing on this turmoil and using it to lure users to scams and exploits by promising HeartBleed, security checks, etc. Although this advice should be heeded at all times, users should be increasingly suspicious of unsolicited emails or text messages, and seek out reputable sources to check for HeartBleed fixes or security checks.
Anyone running version 4.1.1 of Android, must check for updates from the carrier or device manufacturer for a fix according to Google.
More and more, the case for a comprehensive enterprise-wide mobile security strategy is evident and imperative.