Android phones, tablets vulnerable to Heartbleed bug

  • Bloomberg News
  • Friday, April 11, 2014 3:29pm
  • Business

SAN FRANCISCO — Millions of smartphones and tablets running Google’s Android operating system have the Heartbleed software bug, in a sign of how broadly the flaw extends beyond the Web and into consumer devices.

While Google said in a blog post on April 9 that all versions of Android are immune to the flaw, it added that the “limited exception” was one version dubbed 4.1.1, which was released in 2012.

Security researchers said that version of Android is still in use in millions of smartphones and tablets, including in popular models made by Samsung, HTC and other manufacturers. Google statistics show that 34 percent of Android devices use variations of the 4.1 software and the company has said more than 900 million Android devices have been activated worldwide.

The Heartbleed vulnerability was made public earlier this week and can expose people to hacking of their passwords and other sensitive information. While a fix was simultaneously made available and quickly implemented by the majority of Internet properties that were vulnerable to the bug, there is no easy solution for Android gadgets that carry the flaw, security experts said. Even though Google has provided a patch, the company said it is up to handset makers and wireless carriers to update the devices.

“One of the major issues with Android is the update cycle is really long,” said Michael Shaulov, chief executive officer and co-founder of Lacoon Security, a cyber-security company focused on advanced mobile threats. “The device manufacturers and the carriers need to do something with the patch, and that’s usually a really long process.”

Christopher Katsaros, a spokesman for Mountain View, Calif.-based Google, confirmed there are millions of Android 4.1.1 devices. He pointed to an earlier statement by the company, in which it said it has “assessed the SSL vulnerability and applied patches to key Google services.”

It’s unclear whether other mobile devices are vulnerable. Apple Inc. and Microsoft Corp. didn’t respond to messages for comment.

The Heartbleed bug, which was discovered by researchers from Google and a Finnish company called Codenomicon, affects OpenSSL, a type of open-source encryption used by as many as 66 percent of all active Internet sites. The bug, which lets hackers silently extract data from computers’ memory, and a fix for it were announced simultaneously on April 7.

The reach of the vulnerability continues to widen as Cisco Systems Inc. and Juniper Networks Inc. said yesterday that some of their networking-gear products are affected and will be patched. The Canadian government has ordered websites operated by the federal government that use the vulnerable version of OpenSSL to be taken offline until they can be fixed.

The vast majority of large companies protected their systems immediately and the push is now on to make smaller companies do the same, said Robert Hansen, a specialist in Web application security and vice president of the advanced technologies group of WhiteHat Security Inc.

Hackers have been detected scanning the Internet looking for vulnerable servers, especially in traffic coming from China, though it’s difficult to know how many have been successful, said Jaime Blasco, director of AlienVault Labs, part of AlienVault. Many attempts have hit dead ends, Blasco said.

More than 80 percent of people running Android 4.1.1 who have shared data with mobile security firm Lookout Inc. are affected, said Marc Rogers, principal security researcher at the San Francisco-based company. Users in Germany are nearly five times as likely as those in the U.S. to be affected, probably because there is a device that uses that version of Android that is popular there, Rogers wrote in an email.

Still, there are no signs that hackers are trying to attack Android devices through the vulnerability as it would be complicated to set up and the success rate would be low, Rogers said. Individual devices are less attractive to go after because they need to be targeted one by one, he said.

“Given that the server attack affects such a larger number of devices and is so much easier to carry out, we don’t expect to see any attacks against devices until after the server attacks have been completely exhausted,” Rogers wrote in an email.

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Business

Black Press Media operates Sound Publishing, the largest community news organization in Washington State with dailies and community news outlets in Alaska.
Black Press Media concludes transition of ownership

Black Press Media, which operates Sound Publishing, completed its sale Monday (March 25), following the formerly announced corporate restructuring.

Maygen Hetherington, executive director of the Historic Downtown Snohomish Association, laughs during an interview in her office on Thursday, Feb. 15, 2024, in Snohomish, Washington. (Ryan Berry / The Herald)
Maygen Hetherington: tireless advocate for the city of Snohomish

Historic Downtown Snohomish Association receives the Opportunity Lives Here award from Economic Alliance.

FILE - Washington Secretary of State Steve Hobbs poses in front of photos of the 15 people who previously held the office on Nov. 22, 2021, after he was sworn in at the Capitol in Olympia, Wash. Hobbs faces several challengers as he runs for election to the office he was appointed to last fall. (AP Photo/Ted S. Warren, File)
Secretary of State Steve Hobbs: ‘I wanted to serve my country’

Hobbs, a former Lake Stevens senator, is the recipient of the Henry M. Jackson Award from Economic Alliance Snohomish County.

Mark Duffy poses for a photo in his office at the Mountain Pacific Bank headquarters on Wednesday, Feb. 14, 2024 in Everett, Washington. (Annie Barker / The Herald)
Mark Duffy: Building a hometown bank; giving kids an opportunity

Mountain Pacific Bank’s founder is the recipient of the Fluke Award from Economic Alliance Snohomish County.

Barb Tolbert poses for a photo at Silver Scoop Ice Cream on Thursday, Feb. 29, 2024 in Arlington, Washington. (Annie Barker / The Herald)
Barb Tolbert: Former mayor piloted Arlington out of economic brink

Tolbert won the Elson S. Floyd Award, honoring a leader who has “created lasting opportunities” for the underserved.

Photo provided by 
Economic Alliance
Economic Alliance presented one of the Washington Rising Stem Awards to Katie Larios, a senior at Mountlake Terrace High School.
Mountlake Terrace High School senior wins state STEM award

Katie Larios was honored at an Economic Alliance gathering: “A champion for other young women of color in STEM.”

The Westwood Rainier is one of the seven ships in the Westwood line. The ships serve ports in the Pacific Northwest and Northeast Asia. (Photo provided by Swire Shipping)
Westwood Shipping Lines, an Everett mainstay, has new name

The four green-hulled Westwood vessels will keep their names, but the ships will display the Swire Shipping flag.

A Keyport ship docked at Lake Union in Seattle in June 2018. The ship spends most of the year in Alaska harvesting Golden King crab in the Bering Sea. During the summer it ties up for maintenance and repairs at Lake Union. (Keyport LLC)
In crabbers’ turbulent moment, Edmonds seafood processor ‘saved our season’

When a processing plant in Alaska closed, Edmonds-based business Keyport stepped up to solve a “no-win situation.”

Angela Harris, Executive Director of the Port of Edmonds, stands at the port’s marina on Wednesday, Jan. 24, 2024, in Edmonds, Washington. (Ryan Berry / The Herald)
Leadership, love for the Port of Edmonds got exec the job

Shoring up an aging seawall is the first order of business for Angela Harris, the first woman to lead the Edmonds port.

The Cascade Warbirds fly over Naval Station Everett. (Sue Misao / The Herald file)
Bothell High School senior awarded $2,500 to keep on flying

Cascade Warbirds scholarship helps students 16-21 continue flight training and earn a private pilot’s certificate.

Rachel Gardner, the owner of Musicology Co., a new music boutique record store on Thursday, Jan. 18, 2024 in Edmonds, Washington. Musicology Co. will open in February, selling used and new vinyl, CDs and other music-related merchandise. (Olivia Vanni / The Herald)
New Edmonds record shop intends to be a ‘destination for every musician’

Rachel Gardner opened Musicology Co. this month, filling a record store gap in Edmonds.

MyMyToyStore.com owner Tom Harrison at his brick and mortar storefront on Tuesday, Sept. 6, 2022 in Everett, Washington. (Olivia Vanni / The Herald)
Burst pipe permanently closes downtown Everett toy store

After a pipe flooded the store, MyMyToystore in downtown Everett closed. Owner Tom Harrison is already on to his next venture.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.