Millions of Android smartphones and tablets are at risk of being attacked via the Heartbleed bug (also known as CVE-2014-0160), more than a week after the security vulnerability was first made public.
Last week, Google announced that it was updating some of its services in response to the serious security hole.
But at the same time the company noted that that when it came to the Android operating system, only one particular version of the software was at risk: Version 4.1.1 of Jellybean.
Android
All versions of Android are immune to CVE-2014-0160 (with the limited exception of Android 4.1.1; patching information for Android 4.1.1 is being distributed to Android partners).
The risk is that vulnerable devices might be at risk from what is known as the “Reverse Heartbleed” attack, where a malicious web server could exploit the flaw to steal data from an Android smartphone’s browser, including private information.
So, the obvious question you should be considering is, are you running Jellybean 4.1.1 on your Android devices?
Here’s how you can check:
- Enter System settings
- Scroll the screen down to About
- Look for your Android version number
Alternatively, for a more thorough test, those nice folks at mobile security firm Lookout have published a free app which will niftily tell you if your version of Android is at risk.
“Heartbleed Detector” does that by determining if a vulnerable version of OpenSSL is installed, and whether your device is at risk because of the bug.
If either of these methods tell you that your Android smartphone or tablet might be at risk, an operating system update is strongly recommended – so go to System Updates.
And there’s your next problem. You might find that a system update is nowhere to be found.
As I’ve discussed before, Android devices can be something of a nightmare because of the difficulty involved in getting security updates.
Even if you *want* to upgrade the OS on your Android devices you might not be able to, because an Android update is only going to be available for those devices with the assistance and goodwill of the manufacturer and mobile phone carrier.
And often, history has shown us, older Android devices are the left in the lurch and not given an easy path for OS updates.
As The Guardian explains, 50 million Android devices might be at risk from this particular vulnerability as a result.
It’s pretty shameful if manufacturers and mobile phone carriers fail to push out updates for Android 4.1.1, as the operating system was only released back in July 2012.
Further reading:
- Heartbleed claims British mums and Canadian tax payers as victims
- Heartbleed bug *can* expose private SSL keys
- The NSA knew about Heartbleed bug for two years, claims report
- Heartbleed bug explained by xkcd in a way anyone can understand
- In the wake of Heartbleed, watch out for phishing attacks disguised as password reset emails
- Here’s some really bad Heartbleed bug advice about changing your passwords
- Heartbleed OpenSSL bug: An FAQ for Mac, iPhone and iPad users
- Did the Heartbleed bug leak your Yahoo password?
- The Heartbleed bug: serious vulnerability found in OpenSSL cryptographic software library
"Even if you *want* to upgrade the OS on your Android devices you might not be able to, because an Android update is only going to be available for those devices with the assistance and goodwill of the manufacturer and mobile phone carrier."
Seems like the basis for a class action suit if the manufacturer won't provide relief from this blatant security problem. Now that it's so well known and documented, there may be a case for gross negligence.
They would need quite a lot (and I mean an incredible amount) of luck and it would set a (potentially dangerous for the company, potentially obnoxious for the customers) precedent too (= only good at times but bad at others). Think of it this way (and don't forget that the major telcos and major ISP – those that are not the same company, of course – have a lot of influence and I think that is somewhat fair seeing as how they are part of the Internet backbones): ISPs roll out updates in batches. This includes bug fixes and new features.
Example: gateways (in the ISP definition – modem + router) and the firmware updates. Not only do you get it when it is your time, you don't usually have a choice. And while it may be obnoxious to not have some updates (e.g., security), personally I have had updates cause _serious_ problems by my ISP (a big telco) exactly because they thought it'd be great idea to roll out an update (firmware) that a) reboots the gateway – bad enough – and b) attempts to connect, fails, tries again, after some time of which it reboots and tries the process all over again, for over _two hours_! That is inexcusable for a firmware update and worthy of the ID 10 T award, platinum even (worthy of it because this has happened not once but TWICE!).
Would you want them to always have to apply updates with that risk? I would be livid (and corporations would be more so since they rely on being connected. And home users are paying for a service and yet… sorry, firmware upgrade preventing login for over two hours is not acceptable – it is a paid service to be on and not off because someone made a big mistake!). Even if all updates went as planned (which will never ever be the case and you can ask Murphy even if you don't believe me there…. humans are imperfect for starters – look at the news about Windows 8 update to make sure you get further updates that somehow prevented updates!) as in no errors, no problems for 100% of the time, there is this little problem with mobile carriers and telcos in general. Different central offices/exchanges/other equipment per areas. Same county even. One city in my county uses one of the major telcos while the city I am the other one has the equipment. Then you consider different types of services (and for mobiles that would imply smart phone plans or not – e.g., I only just got a mobile last year and I don't have access to the Internet for it; I wouldn't use it anyway.. for regular ISP or land line it is different as well). And the different locations is for land line. Mobile is much more so and that includes more than one major telco in the same area.
This is how it is and almost assuredly always will be. You can never please every one and I know my ISP gets much grief from customers that do not know much technically and one of the main things is because of firmware updates. For advanced users it is also infuriating but they know enough to understand that yes, they screwed up but yes they will fix it. They sort of have no choice in the matter. But while not having an update like this is bad, you also have to consider how corporations work and you also have to keep in mind something else: notice how Sony didn't filter and prevent some very old, very basic (so basic in fact that kids have done it with canned scripts… and I mean really young kids) attacks (sql injection) in was it 2012? Yeah, well just because security sites and the news report this doesn't mean that all corporations will know this or be able to get a fix rolling out when the customer wants. Perfect example is one I just gave: SQL injection is quite old and yet many STILL do _not_ employ any defence mechanism (eg filtering) for it and many programmers STILL do _not_ sanitise user input (sql or otherwise)! It would be ideal if they could get the balance right but we're all human and that will never happen as humans are not perfect.
This would also set a precedent for _all_ corporations. While I do think Apple (example) is irresponsible to delay updates (for Java security flaws) when there is already a known fix, they are not alone and as I referred to, imagine if Microsoft had mandatory updates at mandatory times – with no user intervention allowed/possible – and then now could not receive updates. You'd have people suing for updates and you'd have people suing for no (or not enough) updates.
According to the Chromebleed plugin — "This site is vulnerable. The domain www.foursys.co.uk could be vulnerable to the Heartbleed SSL bug."
Thanks for this Doug! Rest assured as soon as the news broke the server was patched and the public certificates reissued. Some sites said it was fixed others had a delay, perhaps this was true of the plugin. We're confident we're safe though :) Thanks for pointing it out. Expect some more articles from Graham on there soon.