Monday, the world learned about a critical bug in OpenSSL called “Heartbleed.” It severely compromises the integrity of secure communications and there isn’t a whole lot consumers of the Internet can do to protect themselves.
But, of course, knowledge is power, so we’ve created the Heartbleed Detector, an app that will tell you if you’re running a vulnerable version of Android on your phone. While everyone has been talking about how Heartbleed affects servers and Internet infrastructure, it also affects mobile devices. Our detector app will help you figure out if your device is one of them.
What is Heartbleed?
Heartbleed is a software flaw in the OpenSSL “Heartbeats” function that helps keep secure connections alive. This function was found to be vulnerable to manipulation in a way that allows an attacker to steal up to 64K of data at a time from the active memory of affected systems. The bug, found by researchers from Codenomicon and Google, and filed with the following reference number – CVE-2014-0160, impacts any infrastructure that includes the affected versions of OpenSSL.
How does the detector work?
This app determines what version of OpenSSL your device is using and then checks to see if the specific vulnerable feature called Heartbeats is enabled.
This app is not meant to fix this vulnerability, as this will need to be patched by Google or your device manufacturer, and it is only meant to keep you informed about the status of your device. The good news is that Lookout has not yet seen the Heartbleed vulnerability exploited on a mobile device, but you can stay updated with the latest information on our blog at blog.lookout.com.
The detector also doesn’t detect if websites or other online services you use are vulnerable — more about that below.
What should I do if I’m vulnerable?
If your device is vulnerable, you can check in your Android settings to see if you have any System Updates. If you do, update your operating system to make sure you’re running the newest version of Android available for your device.
Unfortunately, if there are no updates available, there isn’t anything you can do. It’s up to the infrastructure teams behind the products and services you use to update their systems. The good news is that we have yet to see any attacks targeting a mobile device, and while this is a credible risk, the likelihood of you encountering an exploit is low.
Will it protect me from affected websites?
No. This app will not detect if any of the services or accounts (the apps and websites you visit) on your device are vulnerable and is only meant to detect vulnerabilities in Android.
In other words, your operating system might be fine, but the websites you’re accessing might not. We suggest contacting your service providers to ask what steps they have taken to protect their systems from Heartbleed.
Should I change my passwords?
Not yet! Wait to hear from the services with which you have an account. Because the vulnerability pulls data from the active memory the affected systems, your password might not have lived in this data. If you change it now, you give anyone who exploits a still-vulnerable site access to your new password.
This vulnerability is one of the most widespread we’ve seen yet, affecting two-thirds of the Internet. We encourage companies to alert their consumers when their infrastructure has been shored up, letting account-holders know it’s safe to change their password.
Is Lookout all patched up?
Yes! Anyone coming to the Lookout app or our website is safe. Our web infrastructure was not impacted by the flaw, and we have already patched all other vulnerable systems.
As a precautionary measure we have also replaced all SSL certificates which may have been exposed by this flaw.
You can check out Lookout’s blog post on Heartbeat here.