Some Android Phones Vulnerable to Reverse Heartbleed
The Heartbleed OpenSSL vulnerability that rocked the Internet security community has prompted flurries of password changes and security patches. Now, security researchers have revealed a related vulnerability called “reverse Heartbleed,” and certain Android devices running Jelly Bean (4.1.1) may be vulnerable to the bug.
What Is Reverse Heartbleed?
When a computer requests access to a server, the server sends back a TLS “heartbeat” letting the computer know that it’s listening. In most cases, the server only sends back the amount of data that it has received from the computer. However, if a server has the Heartbleed bug, an attacker could request information from a server’s memory and receive more than just the heartbeat in response.
For example, if a server’s memory hasn’t been recycled, it may still store old requests from previous users. The hacker could get information from those previous requests, and that information could include cookies and login information.
TLS heartbeats can be sent by both the requesting computer and the server, which creates a possible “reverse Heartbleed” scenario. A malicious server could send a back packet to a computer that would extract information from that computer. For example, a man-in-the-middle attack could redirect clients from a legitimate server to a malicious server that could employ reverse Heartbleed. Virtually any application containing code that makes outbound HTTP requests could be vulnerable to reverse Heartbleed. Also, many organizations haven’t finished replacing security certificates that they purchased before issuing Heartbleed patches.
How Does It Affect Android Users?
Considering the increase in Android malware and vulnerabilities, users should investigate Android security software for their phones and tablets. Unfortunately, not everyone using an Android smartphone promptly gets the latest version of Android. Android updates don’t come directly from Google; instead, they come from device makers only after carriers approve them. About 34 percent of Android devices are still using Jelly Bean, but Google hasn’t provided estimates of how many Jelly Bean users specifically use Android 4.1.1 (the latest version of Jelly Bean is 4.1.2).
According to Google estimates, 10 percent of active Android devices could be vulnerable to reverse Heartbleed. An estimated 900 million Android devices have been activated worldwide. Popular devices that commonly use 4.1.1, according to Mashable, include HTC One S, HTC One X, HTC Evo, HTC One X+ and Motorola Atrix HD. All Android users should check their devices to see whether they’re running 4.1.1.
The good news is that although security experts have detected hackers scanning websites for Heartbleed vulnerabilities, they haven’t noted attacks on individual devices. Attackers get more mileage from attacking a server which could contain data from multiple users than they would from attacking one person’s device and getting only one person’s data. Marc Rogers, a security expert who works for Lookout Mobile, suggests that attackers wouldn’t target individual devices until they’ve exhausted the possibilities of server attacks.
Is the Heartbleed Bug as Dangerous as It Sounds?
Reverse Heartbleed would be labor-intensive for hackers, but it’s still a vulnerability that no one wants on his or her Android device. Anyone who uses the Internet should take these steps to shield themselves from Heartbleed and its variants:
Take an inventory of existing passwords. Web users should start by listing as many websites as possible for which they have passwords. A password manager comes in extremely handy for remembering where users have opened accounts.
- Check the URLs for Heartbleed vulnerability. Copy and paste the URLs into a Heartbleed tester or install a browser extension like Chromebleed to be notified when visiting a Heartbleed-vulnerable site. Only change passwords once a website has been made safe.
- Change passwords on patched sites. Changing passwords on unpatched sites won’t help because attackers can still snatch the information. However, make sure not to recycle that same password on other websites.
- Update Android. Encourage carriers and phone manufacturers to improve the update process for Android. If running Android 4.1.1, either choose a newer device or ask the manufacturer for an immediate OS update.
The scariest thing about Heartbleed and its variants is that devices can’t detect them when they’re happening. No one really knows whether they’ve been victimized by Heartbleed or not until the damage is already in progress, which makes Android security software more important than ever before.
Heartbleed logo by Leena Snidate/Codenomicon from Wikimedia Commons (public domain).