I haven’t written about the Heartbleed vulnerability. Anything I had to say would have just added to the atmosphere of fear, uncertainty, and doubt, or might have caused a 15-year-old who has been coding since he was five to track me down through stackoverflow to reprimand me for some inexcusable oversight. Don’t laugh, it happens. But now that the dust has settled, here are a few thoughts about the OpenSSL vulnerability, aka Heartbleed, in Android 4.1.1.
To start, please consider some context. The perfectly secure device, computer or data center is just one that has not yet been penetrated. The principle behind computer security isn’t perfect security, but to present a greater challenge to bad actors than other equally valuable targets so the attacker’s attention will be focused on easier prey. But absolute security does not exist. For example, the ultra-secure 3DES encryption algorithm can be deciphered with significant computing. Iran’s nuclear centrifuges were infected with the Stuxnet virus when not connected to the internet, and Air gap malware prototypes have been found to infect unconnected machines using inaudible sounds.
Android 4.1.1 is the only version of Android that is vulnerable to the Heartbeat exploit. According to Google’s security blog, it’s been patched, but distribution of the patch depends on OEMs integrating the patch and on carriers delivering it with an over-the-air update. This version accounts for a single digit share of the Android population. It’s interesting to know that more than 90% of the Android devices are safe from the Heartbeat vulnerability; if you are running this version, it’s no comfort. But before worrying, see if an update for the device is available from your carrier.
If an update from the carrier with the patch isn’t available, download the free Bluebox Heartbleed Scanner or the Lookout Heartbleed Security Scanner from the Play store. These apps detect if the OS and/or apps are subject to the vulnerability and if the feature causing the vulnerability is turned on. Even if the device isn’t running the affected version of Android, running these scanners will check installed apps to determine if the app developers included a vulnerable version of OpenSSL. If one of the scanners detects app vulnerabilities, update them and run the scanner again. For those who need to know exactly how the Heartbleed vulnerability works, Matt Nordhoff put a good explanation on stackoverflow.
The risk is relative to the uses of the affected Android 4.1.1 device. If the device is used with data that is regulated by the government, such as Sarbanes Oxley or HIPAA where data breaches are subject to fines and other legal action, don’t use apps that use the regulated data. If the device will continue to be used for other purposes while awaiting update, backup the data and restore the device to factory settings, erasing all the user data. Don’t use the device until the carrier has updated Android and the apps have been updated.
If the scanners detect a vulnerability and the device isn’t used with government-regulated data, the risk to the data on the device needs to be considered. Sensitive information, such as bank accounts, credit cards, social security numbers and the like, should be a concern. If you will continue to use the device, this data should be removed.
Risks to devices without government-regulated data or financial information are proportional to the data stored on them. The email and social media passwords could be the only data at risk on a casually used device. But you need to weigh how valuable these credentials are to a bad actor, compared to targeting a dusty old bank that hasn’t patched the OpenSSL vulnerability on their servers.
Turning on device encryption, a standard Android feature, would reduce the vulnerability, but if the device is still running Android 4.1.1, it’s probably pretty old and the burden of device encryption might result in sluggishness.
Even with device encryption, the HTTPS browser cache might still be vulnerable. Turning off the cache would solve this problem, but it requires either a modification of the Chrome Browser APK manifest or rooting the device, so it’s not really an option for most people. And ditto to sluggishness from this modification.
Still worried that an old device running Android 4.1.1 is at risk, but love your device? Installing one of the popular custom ROMs would eliminate the risk. A nice new Nexus 5, Moto X or Moto G will eliminate the risk at a cost of $180 to $350 without contract.
The publicity of Heartbleed has informed the black hat community of the vulnerability, so it is one more weapon in their arsenal. The risk to an individual device really depends on how many other more valuable targets remain unpatched.