Your phone has Heartbleed? Lookout’s Detector app can tell
Following this week’s discovery of the serious Heartbleed bug in
OpenSSL, mobile security company Lookout released an Android tool that
will help users detect the presence of the security vulnerability on
their Android devices.
The Heartbleed bug allows malicious intruders to exploit a
vulnerability in the OpenSSL library, thereby exposing confidential and
encrypted data that were normally protected by SSL/TLS encryption.
Vulnerability detection
Lookout’s detector app can be downloaded for free
from the Google Play Store and does nothing else but identify the
OpenSSL version being used on the Android device, check for the
existence of Heartbleed, and, if it is present, determine whether
Heartbleed is enabled.
The app, however, won’t tell the user if sites visited or other apps used are affected. The app doesn’t provide a fix either.
If the device is in the clear, the app will display “Everything is
OK”. In the worst case, the user will see a red warning sign along with
the confirmation “And the vulnerable behavior is enabled,” indicating
that Heartbleed is present and is active or enabled.
Most others will likely get a yellow warning, indicating the presence
of Heartbleed but assuring that, although it’s there, it’s not enabled.
User concern
Although the security flaw is primarily a server-side vulnerability,
Android users worry about it because Android uses a version of OpenSSL.
Devices running Android 4.1.1 Jelly Bean are vulnerable, but Google is
working on a patch for that specific version.
Google assured Android users, though, that “all versions of Android
are immune to CVE-2014-0160 (with the limited exception of Android
4.1.1; patching information for Android 4.1.1 is being distributed to
Android partners).”
On the bright side, Lookout reports that it has not yet found cases
of mobile devices exploited using the Heartbleed vulnerability.
However, this is not good reason for anyone to be completely complacent.
Vigilance and looking out
One positive step that an average user may take is to check for
software updates from the Android device’s manufacturer and to install
them immediately, especially updates that patch the security hole.
Another is to be vigilant and be on the lookout for notices and alerts
from sites that the user has online accounts with. Affected sites may
implement measures to remove the vulnerability and inform their users
accordingly. Apart from these, there’s very little else that a user can
do.
Have you scanned your Android device for Heartbleed today? What
result did you get? Does it scare you? Share your thoughts in the
comments section.
No comments:
Post a Comment