As companies launch Heartbleed fixes, customers with older devices may be left out in the cold
Google has warned that a version of its Android operating system is susceptible to attacks from the Heartbleed bug revealed earlier this month. The company has also said that people using its Cloud Compute Engine should manually update their OpenSSL implementations.
The company says in its blog post that it is working with its hardware partners to push fixes for the millions of Android devices affected by Heartbleed. But given that the affected devices haven't received an update despite the numerous releases Google has made since the affected version was released in July 2012, it seems unlikely that the problem will be fixed in due time.
Lookout, a mobile security company, has updated its app with the ability to check and see if the device on which it's installed is running the affected version of Android. Unfortunately, the app can't do anything beyond that: it recommends checking for software updates if their device is affected -- if none are available, the company says, "there isn't anything you can do."
The discovery follows reports that the Heartbleed bug has been found in Wi-Fi routers from Cisco and Juniper Systems. The fix for that problem, according to one security expert, is going to involve "a trash can, a credit card, and a trip to Best Buy." There's little else people can do.
These warnings demonstrate the Heartbleed bug's lasting impact. Large companies can and have fixed their websites or updated their infrastructure to protect their users' information. But when consumers are using devices that have long since been abandoned by their creators or are difficult to upgrade, the only recourse seems to be either living with the possibility of being affected by Heartbleed or upgrading to new hardware unaffected by the vulnerability.
Reactions from around the Web
Bloomberg reports that the long upgrade cycle is one of Android's biggest downfalls:
'One of the major issues with Android is the update cycle is really long,' said Michael Shaulov, chief executive officer and co-founder of Lacoon Security Ltd., a cyber-security company focused on advanced mobile threats. 'The device manufacturers and the carriers need to do something with the patch, and that’s usually a really long process.'
Christopher Katsaros, a spokesman for Mountain View, California-based Google, confirmed there are millions of Android 4.1.1 devices. He pointed to an earlier statement by the company, in which it said it has 'assessed the SSL vulnerability and applied patches to key Google services.' BBC notes that many apps, services, and devices might have simply been forgotten about:
'Some of these are services that were set up and then forgotten about,' said senior malware researcher David Sancho.
'There's no way from using an app you can know if it's good or bad.
'So, for the moment, the best thing to do is use the ones from the major vendors that we know have been patched... but for the minor ones that have said nothing, be wary.'
Bloomberg Businessweek says that BlackBerry is updating its services in response to Heartbleed:
To date, hackers have mostly focused their efforts on servers using OpenSSL protocols and not on individual devices. Such a labor-intensive effort would require targeting each phone or tablet separately to exploit the bug and potentially steal data.Pando weighs in
Still, it’s best not to give them the option. BlackBerry (BBRY) plans to release Heartbleed security updates for two of its products: BBM messaging for Android and Apple’s (AAPL) IOS and its Secure Work Space corporate e-mail software.
I wrote about the shaky idea that the Internet can ever truly be secure after the bug was revealed:
The bug is said to have been around since 2012. The sheer number of websites that use OpenSSL — including Yahoo, Imgur, and OKCupid — means that many millions of Internet users may have potentially had their privacy compromised over the last two years. Combine that with the news that Apple had failed to implement a security tool in its mobile and desktop operating systems for more than a year and the idea that anyone can ever be truly secure online seems permanently out of reach.I then wrote about why being able to change your passwords is a good thing:
The good news is that passwords for services like Facebook and Gmail can be changed. It would be much harder to protect against compromised biometric security measures — what are you gonna do, burn your finger tips and tattoo some new patterns onto them?
Having to change all of your passwords sucks. Not being able to adapt to compromises in the security measures that protect all of your personal information, however, would be even worse. Then I wrote about how small mistakes can have enormous consequences on the modern Web:
Finding these errors would be like finding a typo in “Infinite Jest” – it’s not going to be easy unless you know just what you’re looking for.
But the ramifications of these mistakes aren’t quite so minuscule. Hundreds of millions of people rely on Apple’s products to browse the Web. Even more interact with a large number of websites that use OpenSSL. It’s impossible to know how many people have been affected by these mistakes, but the threat itself has been enough to put security experts on high alert.
That’s the truth of Internet security. All it takes is for a team of professionals to miss two words, or for two unpaid volunteers to miss a “quite trivial” mistake in a widely-used utility, for the privacy of essentially everyone who uses the Internet to be threatened. Welcome to the Web, where a single misplaced strand can cause a disaster few will notice until years later. I then wrote about how the bug was able to attract attention from, well, everyone:
Heartbleed has a dire name. Its branding is better than most of the startup logos we’ve seen in the last few years. Those two things have no doubt contributed to its ability to make sure that everyone, from renowned security professionals and the Department of Homeland Security to the Canada Revenue Agency and tech bloggers, is paying attention to this critical flaw. And, perhaps more importantly, paying attention to the structural problems that allowed it to exist.And then I wondered why Internet security is entrusted to people working in their spare time:
It’s time for Internet security to be handled by people who can afford to devote their entire lives to it, not people who in their spare time are forced to carry “an enormous burden” that affects basically anyone who uses the Internet. We wouldn’t force the doctors charged with handling real heart attacks to operate on donations or in their spare time — why delegate the task of preserving the health of the Internet to people asked to work that way?[Image via Thinkstock]