More than 100,000 Android users around the world downloaded Lookout Security’s free Heartbleed Detector app for Android to determine if their mobile device was vulnerable to the Heartbleed security bug, providing Lookout with a large body of data on the Heartbleed vulnerability.
Ninety-six percent of all Android devices scanned were found not to be susceptible to Heartbleed attacks, the major exception being Android version 4.1.1. Unexpectedly, some devices running Android 4.2.2 were also vulnerable. Lookout Security posits that this is likely due to custom alterations to the operating system (OS).
Top 10 Susceptible Devices
Most vulnerable users had one of 10 popular smartphones and tablets: HTC One X, X+, and S; HTC Desire X and EVO 4G; Motorola Atrix HD; T-Mobile Prism II; ZTE Valet; Nextbook 8; and Huawei Ascend Y300. Most of these devices were vulnerable, ranging from about 82 percent of some models to 100 percent of others. As of the publishing of Lookout’s blog post on April 18, none of these devices had been patched.
These devices likely suffer from a lack of manufacturer OS updates, which tend to focus on newer devices. “It’s a curse of these phones’ own success,” explains Lookout. “The hardware has lasted so well that the software can’t measure up.” Unfortunately, there is little users can do about it: only an update from the manufacturer or Google can fix the problem.
The Heartbleed Detector app was downloaded in over 100 countries, and vulnerable devices were found around the globe. Most of the data came from the roughly 75,000 users based in the United States, of whom 3.4 percent were found to be vulnerable.
Heartbleed and Mobile Devices
Heartbleed, a bug recently discovered in the widely-used OpenSSL encryption software, allows attackers to extract up to 64 KB of random data from a server. An attack can be made on affected servers by sending a defective “heartbeat,” a feature designed to keep secure connections open when not in use, illustrated excellently by the Web comic XKCD. Certain mobile devices are vulnerable to so-called “reverse Heartbleed,” in which attacks are made on individuals rather than an attack on a server.
Whether a device is vulnerable has no effect on the security of the sites users visit on their devices; even if a device is not susceptible to reverse Heartbleed attacks, the user’s information may be at risk when visiting a vulnerable website. Heartbleed affects an extremely broad segment of the Internet because OpenSSL is incorporated into Web servers including Apache and nginx, which together have a market share of 66 percent of all websites, according to Netcraft. It is important to note that not all sites using OpenSSL are vulnerable.
Fortunately, the industry is responding to this potential crisis very rapidly, often through costly and time-consuming means. How has Heartbleed affected you? If the response to Heartbleed or the bug itself has had an impact on you, please share your experience in the comments.
Image courtesy of Flickr