I had planned to take a closer look at Google Chromecast (and some of the alternatives), but something happened on the way to the word processor: the Heartbleed bug was splashed across the news.
If you’re not yet familiar with this little (read: big) problem, it’s code located in the OpenSSL encryption standard that’s vulnerable to exploit by ill-intentioned no-goodniks. Over the last week, news of the problem was made public, causing a lot of companies to scramble to fix the problem. It also left a lot of users scratching their head, wondering why the Internet suddenly seemed like a security minefield.
Unfortunately, this code is located across a vast swath of the Web. That includes a number of major sites like Facebook and Twitter, as well as a few platforms like WordPress that power many of today’s major websites. There’s even talk that the code has made its way into pieces of hardware that require encryption, like routers. In short, it’s almost impossible to escape the problem.
One major casualty of the Heartbleed bug was Google, whose services were hit pretty hard by the bug, including the Google search engine, Gmail, Google+, YouTube … and Android.
While Google was pretty quick to note that a “limited number” of devices (running Android version 4.1.1) are affected by Heartbleed, an article by Bloomberg contends that the number of affected devices could still be in the millions … and unfortunately, it’s not necessarily going to be an easy fix.
The reason it won’t be an easy fix is one of my ongoing pet peeves about Android: fragmentation, coupled with the need to push most updates through several levels of approval before finally getting to the end-user.
The fragmentation part is pretty easy to understand. While Google is responsible for the Android operating system, device manufacturers actually release the hardware that runs Android (with the exception of Nexus-branded devices, which are manufactured externally and released by the Google mothership). Add to that a number of manufacturer-specific OS tweaks and add-ons, and that results in a zillion different versions of Android out there, even for the same theoretical version of the operating system.
The less obvious problem is that each of these manufacturer-created varieties of the operating system then have to be pushed through to the carriers for approval before being released to the end user. So, even if your phone’s manufacturer has created an update, you can’t get your hands on it if your carrier hasn’t approved the new version for use on their network.
Google has released tools to fix the problem to its partners, which means that a fix should be on the way if you have an affected version of Android. In theory, anyhow. Even if you have a device that’s still supported with updates by the manufacturer, it might still be a while until a patch makes its way from manufacturer to carrier and then on to you, so you might as well strap in, sit back and hope for the best. Oh, and be sure to check for an OS update every so often; you can manually check in Settings -> System -> About Tablet.
While you’re waiting, there are a couple of things you can do to reassure yourself. First, you can check out this handy guide, which lists which sites are affected, and then tread cautiously until affected sites give the all-clear.
Secondly, you can download the Heartbleed Detector app from Lookout Mobile Security to your Android device, and run a scan. I found out that while my Nexus 7 tablet is affected by Heartbleed, the behavior itself is not enabled on the device, so the tablet is actually safe from the problem. Unfortunately, if your device goes the other way, there’s not a lot you can do apart from waiting for an update…but at least you’ll know. And as they say, knowing is half the battle.
End-of-support-devices: Time to Upgrade is Now
Sadly, it’s too often the case that something needs to ‘go boom’ with networking devices for organizations to realize there’s even a problem. But there are simple steps IT leaders before disaster strikes.