Millions of Android Phones, Tablets Vulnerable to Heartbleed Bug

Bloomberg News



Millions of smartphones and tablets running 's Android operating system have the Heartbleed software bug, in a sign of how broadly the flaw extends beyond the Web and into consumer devices.


While Google said in a blog post on April 9 that all versions of Android are immune to the flaw, it added that the 'limited exception' was one version dubbed 4.1.1, which was released in 2012.


Security researchers said that version of Android is still in use in millions of smartphones and tablets, including in popular models made by Samsung Electronics Co., HTC Corp. and other manufacturers. Google statistics show that 34 percent of Android devices use variations of the 4.1 software and the company has said more than 900 million Android devices have been activated worldwide.


The Heartbleed vulnerability was made public earlier this week and can expose people to hacking of their passwords and other sensitive information. While a fix was simultaneously made available and quickly implemented by the majority of Internet properties that were vulnerable to the bug, there is no easy solution for Android gadgets that carry the flaw, security experts said. Even though Google has provided a patch, the company said it is up to handset makers and wireless carriers to update the devices.


Long Cycle

'One of the major issues with Android is the update cycle is really long,' said Michael Shaulov, chief executive officer and co-founder of Lacoon Security Ltd., a cyber-security company focused on advanced mobile threats. 'The device manufacturers and the carriers need to do something with the patch, and that's usually a really long process.'


Christopher Katsaros, a spokesman for Mountain View, California-based Google, confirmed there are millions of Android 4.1.1 devices. He pointed to an earlier statement by the company, in which it said it has 'assessed the SSL vulnerability and applied patches to key Google services.'


It's unclear whether other mobile devices are vulnerable. Apple Inc. and Microsoft Corp. didn't respond to messages for comment.


The Heartbleed bug, which was discovered by researchers from Google and a Finnish company called Codenomicon, affects OpenSSL, a type of open-source encryption used by as many as 66 percent of all active Internet sites. The bug, which lets hackers silently extract data from computers' memory, and a fix for it were announced simultaneously on April 7.


Broad Fallout

The reach of the vulnerability continues to widen as and said yesterday that some of their networking-gear products are affected and will be patched. The Canadian government has ordered websites operated by the federal government that use the vulnerable version of OpenSSL to be taken offline until they can be fixed.


The vast majority of large companies protected their systems immediately and the push is now on to make smaller companies do the same, said Robert Hansen, a specialist in Web application security and vice president of the advanced technologies group of WhiteHat Security Inc.


Hackers have been detected scanning the Internet looking for vulnerable servers, especially in traffic coming from China, though it's difficult to know how many have been successful, said Jaime Blasco, director of AlienVault Labs, part of AlienVault LLC. Many attempts have hit dead ends, Blasco said.


German Users

More than 80 percent of people running Android 4.1.1 who have shared data with mobile security firm Lookout Inc. are affected, said Marc Rogers, principal security researcher at the San Francisco-based company. Users in Germany are nearly five times as likely as those in the U.S. to be affected, probably because there is a device that uses that version of Android that is popular there, Rogers wrote in an e-mail.


Still, there are no signs that hackers are trying to attack Android devices through the vulnerability as it would be complicated to set up and the success rate would be low, Rogers said. Individual devices are less attractive to go after because they need to be targeted one by one, he said.


'Given that the server attack affects such a larger number of devices and is so much easier to carry out, we don't expect to see any attacks against devices until after the server attacks have been completely exhausted,' Rogers wrote in an e-mail.


To contact the reporter on this story: Jordan Robertson in San Francisco at jrobertson40@bloomberg.net


To contact the editors responsible for this story: Pui-Wing Tam at ptam13@bloomberg.net Reed Stevenson


Comments

Post a Comment

Popular posts from this blog

5 Reasons iPhone 6 Won't Be Popular

Image
The majority of users are waiting for the next smartphone from Apple - iPhone 6 – this year. Unfortunately, the hype around iPhone began to gradually subside with each passing year after the 4th model launched. Therefore, it is possible that the sixth iPhone model of  will not be nearly as popular as it was in the beginning. Global audience perceived iPhone 4S and iPhone 5 much cooler than its early models New iPhones will not cause that “wow”-effect, which was in the beginning, when Steve Jobs' presentations caused a delight and admiration of every new Apple gadget. Some leaked photos of iPhone 5S prototype show that it does not differ from its predecessor at all. Therefore, all hopes for something radically new in design and features are laid on iPhone 6. And if Apple is no longer holds its standards, that seem to be a little bit old-fashioned already, it is unlikely that iPhone 6 will be interesting for people next year. 5 main reasons can be found to think like
Read more

Eset nod32 ativirus 6 free usernames and passwords

Image
                              Hi friends,after little long time I'm going to write again about eset nod 32 antivirus.As I told in previous post if you are user on windows 8 Eset nod 32 is the best antivirus for your personal computer.the latest product eset nod 32 antivirus 6 has special features with 100% really working.Not need to purchase full version from buying it.Download the eset nod 32 trial version and activate your est antivirus from below updated usernames and passwords. Firstly I would like to tell something about est nod32 antivirus 6. The latest product having: Eset smarter scan  Scan while downloading something Anti-Theft Idle-state scanning Clean and safe E-mail Removable media security system tools         Download Eset nod32 antivirus 6 Trial version Here     After downloading Eset nod32 Antivirus activate it using below usernames and passwords. Username: EAV-30326836                                       Password: ccka4dvsuv Expire: 16-10-2013 Username:EAV-79084
Read more

Apple's self

USA TODAY Apple's self-driving car racing toward reality, report saysUSA TODAYSAN FRANCISCO - Apple's self-driving car effort, code-named Project Titan , is more reality than rumor, according to documents obtained by the British newspaper The Guardian. Engineers working for the Cupertino-based tech hardware giant met in May with ...Apple Is Getting Closer to a Self-Driving CarTIMEApple is reportedly looking at places to test its self-driving carThe VergeApple eyes former naval base in California to test 'Project Titan' self ...Apple InsiderThe Independent -Business Insider -Cult of Macall 10 news articles »
Read more