Heartbleed has taken the Internet by storm, affecting both PC and mobile users. Heartbleed is a serious flaw in the method used by more than two thirds of the Internet to secure communications between users and the servers. The problem with mobile exacerbates as even when fixes are available for users, the patching process is long and not under the control of admins or end-users.
What exactly is Heartbleed?
The Heartbleed bug is a serious vulnerability in the OpenSSL cryptographic software library. This library is widely used within vendors products, services and sites to secure web browsing (i.e whenever you see a padlock in your browser or the url begins with HTTPS), as well as used in mobile apps, including banking, retail and even gaming apps.
Without getting too technical, this vulnerability ultimately enables an attacker to target users and extract secure (encrypted) credentials of a victim by issuing an “SSL heartbeat.” Exploiting the vulnerability allows the attacker to extract data outside the bounds of what the heartbeat should be able to access.
What are the consequences to mobile users?
Heartbleed affects many websites, apps and smartphone devices. The vulnerability enables an attacker to extract 64k of random data from a targeted device’s working memory (both from an app or a browser). Attackers don’t know what usable data will be extracted, but since the process can be performed repeatedly, it’s more than likely that sensitive data to be exposed.
From a client device perspective – sensitive user credentials, unencrypted messages and any other information typed or read by the user are kept in working memory, are relatively easy for the attacker to identify among the data.
An attacker could also leverage the memory disclosure vulnerability (Heartbleed) to defeat ASLR exploit mitigation. Doing this lowers the bar for remotely exploiting the device and enables an attacker to conduct a drive by attack using the return-to-lib-c attack.
How does a Heartbleed-based attack on a mobile device work?
The attacker must first gain access to a victim’s communications. This can be done in several ways, including:
- A phishing attack – where a user is tricked into visiting a malicious website providing the attacker with a direct channel to the victim’s device.
- A Man in the Middle (MitM) attack – when a victim connects to a compromised or public WiFi hotspot, the attacker can target the victim’s device.
Once the attacker has access to data transmissions to and from the targeted device, Heartbleed causes much of the encrypted data to become viewable and extractable.
Which mobile devices and apps are affected by Heartbleed?
It is important to note that the vulnerability affects users via two distinct “layers”:
- The Device Layer: In this scenario, the SSL stack of the device is affected
A vulnerable device means that regardless of the apps it’s running, a user is susceptible to the Heartbleed vulnerability.
It seems most Android devices running Android 4.1.1 are affected.
Other versions of Android might also be affected if the handset vendor (Samsung, LG) chose to integrate the affected version of OpenSSL within the handset. We’d like to note that iOS devices and newer versions of Android (4.2, 4.3, 4.4) are all considered safe.
- The App Layer
In this scenario, an application embeds and uses a vulnerable SSL library. Users of devices that are described as safe in the aforementioned paragraph (iOS & Android 4.2 and above) will be vulnerable if using a vulnerable app.
- Many applications implement their own SSL library that can be affected, regardless of the device they run on.
Enterprise Applications are Vulnerable.
The Lacoon Mobile Security Research team conducted an assessment of more than 100,000 popular Android (and iOS — if list exists) applications. Our research has shown than various enterprise apps, such as Mobile Device Management (MDM), Secure Wrappers and Firewalls, are affected.
What Steps Can You Take for Mitigation?
Lacoon Mobile Security will issue an immediate update to MobileFortress, ensuring the product can detect and mitigate the exploitation of the Heartbleed vulnerability in all Lacoon protected mobile devices.
In the meantime, and in the case your environment does not have Lacoon MobileFortress installed, we recommend you follow these steps:
- Gain visibility into employee devices and corresponding apps.
- Test which apps in your workplace environment are affected. You can check devices using the test above which we specifically developed for this purpose.
- Make sure employee devices and corresponding apps are up-to-date. Check our list of affected Android apps in the link above.
- Upgrade vulnerable devices as soon as the device vendor or carrier releases a patch or update.
- Instruct employees not to navigate to suspicious URLs
Bleeding-In-The-Browser: The Risk of Reverse Heartbleed is Real
Lacoon Research demonstrates how easy it is to execute a reverse Heartbleed attack and risk of Bleeding-In-The-Browser. Read our latest post on Bleeding-in-the-Browser – Why downplaying of reverse Heartbleed risk for mobile is dangereous for the Enterprise