Threat Level Thursday: Heartbleed and Android
Remember Heartbleed? Discovered two weeks ago, the Internet exploit sent ripples through the technosphere due to the fact that around two-thirds of the world's websites were affected. It's not just servers, however, that are vulnerable to Heartbleed.
Android devices are victims too, and not just a small group. Security experts have determined that Android 4.1.1 Jelly Bean is susceptible to the Heartbleed OpenSSL exploit. For those wondering, the Android 4.1.x Jelly Bean series is the most widely used version of Android, according to statistics published by Google at the beginning of April.
The worst part? Devices still running Android 4.1.1 are likely to stay on that level. The latest version of Android is 4.4 KitKat, and any devices that haven't been bumped up past Android 4.1.1 are probably without support anyways. Luckily, Google has noticed the situation and taken steps to patch Android 4.1.1 systems, although it's unclear how effective a campaign that has been given the fragmented nature of the Android ecosystem.
In addition, more than ten percent of Android apps are still open to Heartbleed attacks.
"For the Android platform, we find that roughly 150M downloads of Android apps contain OpenSSL libraries vulnerable to Heartbleed," write cybersecurity firm FireEye researchers Yulong Zhang, Hui Xue and Tao Wei.
Heartbleed is a mistake inserted into the OpenSSL encryption code over two years ago that allows a foreign party to eavesdrop and steal person information, including financial data.
"The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs)," Codenomicon, the Finnish-based security firm that discovered Heartbleed, wrote on Heartbleed.com.
Codenomicon even tested Heartbleed themselves, saying, "We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."
Major social media sites and services such as Facebook, Gmail, and Yahoo were all found to be open to Heartbleed attacks. Most such sites have since patched their systems.
Experts are still scrambling to decipher the ramifications of Heartbleed. Although the mistake was inserted into OpenSSL code over two years ago, most agree that it's unlikely many hackers knew about Heartbleed. It has come out, however, that intelligence agencies such as the NSA have exploited Heartbleed.