HardOCP News
[H] News
- Joined
- Dec 31, 1969
- Messages
- 0
I guess it only makes sense that, with everything else vulnerable to the Heartbleed bug, Android devices would be too. 
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Millions of Android Devices Vulnerable to Heartbleed Bug
- Thread starter HardOCP News
- Start date
fairlane
Limp Gawd
- Joined
- Jun 18, 2004
- Messages
- 297
The problem with smartphones and tablets is that they don't check for server cert revocation, so if you need to check the website to see that, you can either check the cert validation date within your desktop browser (Should be invalid BEFORE April 7th) but Gibson has a handy page you can check (on a desktop). You should have Chrome/Safari/FF set to check for server revocation. Then navigate to Steve's page at https://revoked.grc.com/ to see if your browser has alerted you the sites certs has been "revoked". If you see that "error" then that's GOOD, your browser is doing its job, otherwise if the page is actually displayed (and you should read what Steve wrote) then your browser isn't checking properly (not setup right) or the servers cert hasn't been updated.
Mobile devices don't have this built in functionality and depending on who you talk to in the security community - you either need to change your passwords on sites you securely log into or some think you don't need to bother. If you have 2-factor authentication set up you don't need to worry about your credentials being stolen.... but if you don't have it setup I would probably change your passwords for those sites, better safe than sorry..
Philip
Mobile devices don't have this built in functionality and depending on who you talk to in the security community - you either need to change your passwords on sites you securely log into or some think you don't need to bother. If you have 2-factor authentication set up you don't need to worry about your credentials being stolen.... but if you don't have it setup I would probably change your passwords for those sites, better safe than sorry..
Philip
Ah, now that makes sense. I was trying to figure out how a server side buffer overread was going to cause problems on my smartphone. I really wish all the reports on Heartbleed contained at least SOME technical details. The mainstream media really has no idea what this is all about. This morning, my local news stated that the government websites that had been down for 5 days due to the Heartbleed virus were now back up.
DejaWiz
Fully [H]
- Joined
- Apr 15, 2005
- Messages
- 21,825
Lookout Security has a Heartbleed Detector in the Google Play Store. Will let you know if your Android device is vulnerable, if it's active, and you can send the results to them to help with ongoing security research and development.
I didn't read the article, but servers and clients can both request heartbeats, so if the client is running openssl, it can be exploited by a malicious server. Not sure what the practical damage is, though.
fairlane
Limp Gawd
- Joined
- Jun 18, 2004
- Messages
- 297
Ah, now that makes sense. I was trying to figure out how a server side buffer overread was going to cause problems on my smartphone. I really wish all the reports on Heartbleed contained at least SOME technical details. The mainstream media really has no idea what this is all about. This morning, my local news stated that the government websites that had been down for 5 days due to the Heartbleed virus were now back up.
The thing to keep in mind about Heartbleed is that as soon as websites are patched - and a lot of Big Iron sites (amazon, facebook, etc) already have been (or weren't vulnerable because they used something other than OpenSSL like IIS) patched, but it's the small mom and pops websites that may not know how to or even be aware.
You can also go to SSLlabs.com and click on their Server Test to see if a URL is still vulnerable. Don't bother with the other (filippo.??) it was shown to not work at all. Ivan from SSLlabs knows his stuff and implemented the test code quite well
Philip
Apple had their own brain dead SSL bug a little bit earlier this year, but this one should not affect them, since they don't use openssl
they *do* use openssl but .98 that wasn't affected by the bug
and if you're using safari on OS X here is how you can make it so you check certification revocation:
command + space > keychain access
open keychain access
preferences > certificates
hold down Option
change OCSP and CRL to "Require for all certificates"
Red Squirrel
[H]F Junkie
- Joined
- Nov 29, 2009
- Messages
- 9,211
What does the phone use SSL for exactly? Like, if my phone is just sitting on the table or I've only taken some phone calls or texts, is it exploitable, or do I need to actually be running a web server off it or something and have the port forwarded through my router? (unlikely for a phone)
it's checking server certificates to see if they are valid
it's not exploitable in the sense that someone can crack into your phone and do something to you but it's exploitable in the sense that a malicious website can pretend to be something it's not and your device wouldn't alert you to the fact
I would say that will be true with the majority of android devices.
When you talk to a SSL server with your phone, its a two way street. You're both using the protocol one as client and one at server and client and server side probably share a lot of code. So someone could probably inpersonate a server and probe your phone's memory with recent communications likely being randomly spread in there.
CreepyUncleGoogle
Supreme [H]ardness
- Joined
- Mar 10, 2013
- Messages
- 6,871
It's already watching everything you do for Google. It shouldn't even bother people that they're compromised since that was pretty much a given considering the company that made the OS in the first place.
Red Squirrel
[H]F Junkie
- Joined
- Nov 29, 2009
- Messages
- 9,211
Oh ok, does not sound that scary then, as long as they do patch it. I rarely visit the web with my phone anyway and the sites I do arn't even https.
Outamyhead
Supreme [H]ardness
- Joined
- Jan 3, 2008
- Messages
- 4,263
Interesting that Apple had nothing to say on the problem, denial solves the issue?
what are you talking about? Apple already made an announcement about it not being affected. What kind of statement should they make about android?
ccityinstaller
Supreme [H]ardness
- Joined
- Feb 23, 2007
- Messages
- 4,236
I just checked the test link using my Note 3 on Verizon running 4.3.0 and Chrome version 34.0.1847.114 appears to be vulnerable..This is interesting considering it is Samsung's *Current* Flagship device.
ccityinstaller
Supreme [H]ardness
- Joined
- Feb 23, 2007
- Messages
- 4,236
Didn't see this before, but Lookout's app tells me the same thing..So now which do I believe?