Biz & IT —

Vicious Heartbleed bug bites millions of Android phones, other devices

Not the exclusive province of servers, Heartbleed can hack end users, too.

Dan Goodin - Apr 14, 2014 10:30 pm UTC

Vicious Heartbleed bug bites millions of Android phones, other devices — Centers for Disease Control and Prevention's Public Health Image Library via Wikipedia

The catastrophic Heartbleed security bug that has already bitten Yahoo Mail, the Canada Revenue Agency, and other public websites also poses a formidable threat to end-user applications and devices, including millions of Android handsets, security researchers warned.

Handsets running version 4.1.1 of Google's mobile operating system are vulnerable to attacks that might pluck passwords, the contents of personal messages, and other private information out of device memory, a company official warned on Friday. Marc Rogers, principal security researcher at Lookout Mobile, a provider of anti-malware software for Android phones, said some versions of Android 4.2.2 that have been customized by the carriers or hardware manufacturers have also been found to be susceptible. Rogers said other releases may contain the critical Heartbleed flaw as well. Officials with BlackBerry have warned the company's messenger app for iOS, Mac OS X, Android, and Windows contains the critical defect and have released an update to correct it.

The good news, according to researchers at security firm Symantec, is that major browsers don't rely on the OpenSSL cryptographic library to implement HTTPS cryptographic protections. That means people using a PC to browse websites should be immune to attacks that allow malicious servers to extract data from an end user's computer memory. Users of smartphones, and possibly those using routers and "Internet of things" appliances, aren't necessarily as safe.

Chief among vulnerable devices are those running Android. While exploiting vulnerable handsets often isn't as simple as attacking vulnerable servers, the risk is high enough that users should tightly curtail use of their Android devices until users are sure their handsets aren't susceptible, Lookout's Rogers advised.

"If you have a vulnerable device and there's no fix available for you, I would be very cautious about using that device for sensitive data," he told Ars. "So I would be cautious about using it for banking or sending personal messages."

How Android phones are vulnerable

Rogers said the most likely scenario for an attacker exploiting a vulnerable Android device is to lure the user to a booby-trapped website that contains a cross-site request forgery or similar exploit that loads banking sites or other sensitive online services in a separate tab. By injecting malicious traffic into one tab, the attacker could possibly extract sensitive memory contents corresponding to the sites loaded in other tabs, he said. A less sophisticated version of the attack—but also one that's easier to execute—might simply inject the malicious commands into a vulnerable Android browser and opportunistically fish for any sensitive memory contents that may be returned.

Promoted Comments

sep332Ars Scholae Palatinaeet Subscriptor
jump to post

Here's a site that tests for vulnerable clients. https://reverseheartbleed.com/

1379 posts | registered Jun 20, 2007
ShavanoArs Tribunus Militum
jump to post

sprockkets wrote:
dangoodin wrote:
sprockkets wrote:
Android upgrades !=security updates - Android phones get security fixes all the time.

That and cyangenomod fixed it apr 6 ☺

No doubt Google releases security fixes on a timely basis all the time. But as documented in the two Ars articles linked to this post, carriers and manufacturers have a long, uncontested history of not making them available to users unless they void their warranties and install Cyanogenmod. This is a problem for many users.

Wrong. In Casey's article, she clearly stated that the graphs ignore small or security updates the carriers push out.
Now I will concede that they will sell phones that are on older versions of Android that they've abandoned.

What are these small security fixes that the carriers allegedly push out? They haven't pushed anything on my phone in more than three years.

2623 posts | registered Oct 6, 2012
OstracusArs Legatus Legionis
jump to post

steven75 wrote:
sprockkets wrote:
Lars A. Gundersen wrote:
Apple Macintosh Lover wrote:
Lol, got iPhone?

Sigh yes some of us have and love our iPhones, but stating so here does not contribute anything useful to the discussion at hand. Do you have an actual contribution?

Yes, we wouldn't want to to remind them of what happened to apple with ios7 devices and OSX with their SSL bug a mere two months ago!

Yes we wouldn't want to remind them of how an OTA update was available within about two days for all hardware running that OS and just how much more effective that approach is in reality vs Android's "carriers run the show" approach.

4.3 "Jelly Bean" is where Google's modularization program plays a big role in breaking out of that "carrier" thing.

14116 posts | registered Oct 22, 2008
aexcorpSmack-Fu Master, in training
jump to post

steven75 wrote:
show nested quotes
Lars A. Gundersen wrote:
Apple Macintosh Lover wrote:
Lol, got iPhone?

Sigh yes some of us have and love our iPhones, but stating so here does not contribute anything useful to the discussion at hand. Do you have an actual contribution?

Yes, we wouldn't want to to remind them of what happened to apple with ios7 devices and OSX with their SSL bug a mere two months ago!

Yes we wouldn't want to remind them of how an OTA update was available within about two days for all hardware running that OS and just how much more effective that approach is in reality vs Android's "carriers run the show" approach.

I personally wouldn't brag about this episode if I were you. That was straight-up embarrassing and had been around for a long time before it was caught. The sheer magnitude of that hole was mind-boggling, in short.

This issue on the other hand affected an estimated >60% of the Internet, and there is no clear case why this really really matters for Android users to begin with.

But I do agree, Google failed to impose its terms on carriers and manufacturers and this causes problems. This is why I always recommend 2 things to Android users:
1) Get a Nexus-line phone (or a GP edition)
2) Install quality custom roms and keep them up to date.

32 posts | registered Aug 28, 2012
Tyler X. DurdenArs Praefectus
jump to post

mcmnky wrote:
show nested quotes
Quote:
Rogers said the most likely scenario for an attacker exploiting a vulnerable Android device is to lure the user to a booby-trapped website that contains a cross-site request forgery or similar exploit that loads banking sites or other sensitive online services in a separate tab.

Why is this even an article ?

OpenSSL is a server-side tech and Heartbleed is a server-side exploit. Has nothing to do with the end-Users.

The read can basically be pushed to any client device when referencing a phishing attack. This is nothing new and the client-side should simply watch whaat the F they are accessing or clicking on.

I thought the same thing (that Heartbleed was server-side), so I found this very confusing:

show nested quotes
The good news, according to researchers at security firm Symantec, is that major browsers don't rely on the OpenSSL cryptographic library to implement HTTPS cryptographic protections.

The linked entry says nothing about browsers or other clients. The discussion is strictly server-side.

If the issue is information available from the server, how does the version of the client (mobile or not) become a factor? If the client is vulnerable to CSRF, isn't that a separate issue from Heartbleed?

In this case a "server" doesn't need to be something that is a dedicated server, it just has to take on that role in a given connection relationship. This is the same way that any computer connected to the internet can function as server for a given task. That's the bidirectional, egalitarian nature of IP, it is really client/server neutral so anyone can be designated as the "server" by the higher up layers for their purposes.

So any application that includes this OpenSSL library and, even if it never intends the functionality to be used, responds to the heartbeat request because the programmer never #IFDEF'ed out that code as the library allows it to thus making the application (and potentially machine as a whole, depending on memory management configuration) vulnerable.

3430 posts | registered Sep 2, 2007

Promoted Comments

sep332Ars Scholae Palatinaeet Subscriptor
jump to post

Here's a site that tests for vulnerable clients. https://reverseheartbleed.com/

1379 posts | registered Jun 20, 2007
ShavanoArs Tribunus Militum
jump to post

sprockkets wrote:
dangoodin wrote:
sprockkets wrote:
Android upgrades !=security updates - Android phones get security fixes all the time.

That and cyangenomod fixed it apr 6 ☺

No doubt Google releases security fixes on a timely basis all the time. But as documented in the two Ars articles linked to this post, carriers and manufacturers have a long, uncontested history of not making them available to users unless they void their warranties and install Cyanogenmod. This is a problem for many users.

Wrong. In Casey's article, she clearly stated that the graphs ignore small or security updates the carriers push out.
Now I will concede that they will sell phones that are on older versions of Android that they've abandoned.

What are these small security fixes that the carriers allegedly push out? They haven't pushed anything on my phone in more than three years.

2623 posts | registered Oct 6, 2012
OstracusArs Legatus Legionis
jump to post

steven75 wrote:
sprockkets wrote:
Lars A. Gundersen wrote:
Apple Macintosh Lover wrote:
Lol, got iPhone?

Sigh yes some of us have and love our iPhones, but stating so here does not contribute anything useful to the discussion at hand. Do you have an actual contribution?

Yes, we wouldn't want to to remind them of what happened to apple with ios7 devices and OSX with their SSL bug a mere two months ago!

Yes we wouldn't want to remind them of how an OTA update was available within about two days for all hardware running that OS and just how much more effective that approach is in reality vs Android's "carriers run the show" approach.

4.3 "Jelly Bean" is where Google's modularization program plays a big role in breaking out of that "carrier" thing.

14116 posts | registered Oct 22, 2008
aexcorpSmack-Fu Master, in training
jump to post

steven75 wrote:
show nested quotes
Lars A. Gundersen wrote:
Apple Macintosh Lover wrote:
Lol, got iPhone?

Sigh yes some of us have and love our iPhones, but stating so here does not contribute anything useful to the discussion at hand. Do you have an actual contribution?

Yes, we wouldn't want to to remind them of what happened to apple with ios7 devices and OSX with their SSL bug a mere two months ago!

Yes we wouldn't want to remind them of how an OTA update was available within about two days for all hardware running that OS and just how much more effective that approach is in reality vs Android's "carriers run the show" approach.

I personally wouldn't brag about this episode if I were you. That was straight-up embarrassing and had been around for a long time before it was caught. The sheer magnitude of that hole was mind-boggling, in short.

This issue on the other hand affected an estimated >60% of the Internet, and there is no clear case why this really really matters for Android users to begin with.

But I do agree, Google failed to impose its terms on carriers and manufacturers and this causes problems. This is why I always recommend 2 things to Android users:
1) Get a Nexus-line phone (or a GP edition)
2) Install quality custom roms and keep them up to date.

32 posts | registered Aug 28, 2012
Tyler X. DurdenArs Praefectus
jump to post

mcmnky wrote:
show nested quotes
Quote:
Rogers said the most likely scenario for an attacker exploiting a vulnerable Android device is to lure the user to a booby-trapped website that contains a cross-site request forgery or similar exploit that loads banking sites or other sensitive online services in a separate tab.

Why is this even an article ?

OpenSSL is a server-side tech and Heartbleed is a server-side exploit. Has nothing to do with the end-Users.

The read can basically be pushed to any client device when referencing a phishing attack. This is nothing new and the client-side should simply watch whaat the F they are accessing or clicking on.

I thought the same thing (that Heartbleed was server-side), so I found this very confusing:

show nested quotes
The good news, according to researchers at security firm Symantec, is that major browsers don't rely on the OpenSSL cryptographic library to implement HTTPS cryptographic protections.

The linked entry says nothing about browsers or other clients. The discussion is strictly server-side.

If the issue is information available from the server, how does the version of the client (mobile or not) become a factor? If the client is vulnerable to CSRF, isn't that a separate issue from Heartbleed?

In this case a "server" doesn't need to be something that is a dedicated server, it just has to take on that role in a given connection relationship. This is the same way that any computer connected to the internet can function as server for a given task. That's the bidirectional, egalitarian nature of IP, it is really client/server neutral so anyone can be designated as the "server" by the higher up layers for their purposes.

So any application that includes this OpenSSL library and, even if it never intends the functionality to be used, responds to the heartbeat request because the programmer never #IFDEF'ed out that code as the library allows it to thus making the application (and potentially machine as a whole, depending on memory management configuration) vulnerable.

3430 posts | registered Sep 2, 2007

Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene.

Channel Ars Technica

← Previous story Next story →

How Android phones are vulnerable

Further Reading

Promoted Comments

Promoted Comments

reader comments

Channel Ars Technica