Site icon Check Point Blog

Is your Mobile Device Vulnerable to the Heartbleed Bug? Test it now.

Heartbleed has taken the Internet by storm, affecting both PC and mobile users. Heartbleed is a serious flaw in the method used by more than two thirds of the Internet to secure communications between users and the servers. The problem with mobile exacerbates as even when fixes are available for users, the patching process is long and not under the control of admins or end-users.

What exactly is Heartbleed?
The Heartbleed bug is a serious vulnerability in the OpenSSL cryptographic software library. This library is widely used within vendors products, services and sites to secure web browsing (i.e whenever you see a padlock in your browser or the url begins with HTTPS), as well as used in mobile apps, including banking, retail and even gaming apps.

Without getting too technical, this vulnerability ultimately enables an attacker to target users and extract secure (encrypted) credentials of a victim by issuing an “SSL heartbeat.” Exploiting the vulnerability allows the attacker to extract data outside the bounds of what the heartbeat should be able to access.

What are the consequences to mobile users?
Heartbleed affects many websites, apps and smartphone devices. The vulnerability enables an attacker to extract 64k of random data from a targeted device’s working memory (both from an app or a browser). Attackers don’t know what usable data will be extracted, but since the process can be performed repeatedly, it’s more than likely that sensitive data to be exposed.

From a client device perspective – sensitive user credentials, unencrypted messages and any other information typed or read by the user are kept in working memory, are relatively easy for the attacker to identify among the data.

An attacker could also leverage the memory disclosure vulnerability (Heartbleed) to defeat ASLR exploit mitigation. Doing this lowers the bar for remotely exploiting the device and enables an attacker to conduct a drive by attack using the return-to-lib-c attack.

How does a Heartbleed-based attack on a mobile device work?
The attacker must first gain access to a victim’s communications. This can be done in several ways, including:

Once the attacker has access to data transmissions to and from the targeted device, Heartbleed causes much of the encrypted data to become viewable and extractable.

Which mobile devices and apps are affected by Heartbleed?
It is important to note that the vulnerability affects users via two distinct “layers”:

Other versions of Android might also be affected if the handset vendor (Samsung, LG) chose to integrate the affected version of OpenSSL within the handset. We’d like to note that iOS devices and newer versions of Android (4.2, 4.3, 4.4) are all considered safe. 

Enterprise Applications are Vulnerable.
The Lacoon Mobile Security Research team conducted an assessment of more than 100,000 popular Android (and iOS — if list exists) applications. Our research has shown than various enterprise apps, such as Mobile Device Management (MDM), Secure Wrappers and Firewalls, are affected.

What Steps Can You Take for Mitigation? 
Lacoon Mobile Security will issue an immediate update to MobileFortress, ensuring the product can detect and mitigate the exploitation of the Heartbleed vulnerability in all Lacoon protected mobile devices.

In the meantime, and in the case your environment does not have Lacoon MobileFortress installed, we recommend you follow these steps:

Read more of Lacoon‘s insights regarding Heartbleed at Bloomberg.com

Bleeding-In-The-Browser: The Risk of Reverse Heartbleed is Real
Lacoon Research demonstrates how easy it is to execute a reverse Heartbleed attack and risk of Bleeding-In-The-Browser. Read our latest post on Bleeding-in-the-Browser – Why downplaying of reverse Heartbleed risk for mobile is dangereous for the Enterprise

Exit mobile version