We already knew that the OpenSSL Heartbleed security vulnerability that blew up in the headlines last week was bad news. So we’re probably not ready to hear that it could be way worse than we thought. But that’s the message of one Forbes.com technology expert.
The problem, says Bob Egan, is that the publicity surrounding Heartbleed has focused on its potential impact on “desktop” browsers. That leaves out the potential global effects on some 40 – 60 billion smartphone applications that are connected to the same servers.
Heartbleed is a vulnerability in OpenSSL software that exposes the information on data servers. Around half a million web sites could be affected, leaving highly sensitive user data such as passwords, user names and credit card info, open to hackers.
Egan, who writes on mobile and technology matters in addition to being the founder of The Sepharim Group, a mobile industry consultancy, says mobile security firms he questioned have the following consensus: “Mobile users carrying smartphones and tablets who are not protected by an enterprise mobile management (EMM) solution are at far more risk than employees who are enrolled in an EMM solution at work. But nobody is off the hook.”
The risk to workplace EMM users is relatively contained as Heartbleed doesn’t affect most providers of EMM solutions, Egan says. Apple, Blackberry, IBM, Microsoft and other major mobile technology providers have said that their core products are unaffected. Egan says that probably not all issues have been discovered yet, and notes that some vendors likely have further work to do to eliminate the threat entirely.
But his most serious concern is reserved for the unprotected mobile user. Taking a page from the infamous “known knowns” hierarchy devised by U.S. Defense Secretary Donald Rumsfeld in 2002, Egan sorts the concerns as follows.
The “known known” is that smartphone and tablet users who have downloaded apps from commercial app stores are definitely exposed. “The exposure comes mainly from an app connecting to a vulnerable server somewhere,” Egan says. “Since at least 66 per cent of servers connected to the Internet have a two-year exposure to this bug, we know there is a chance users may have already been compromised.”
Exactly what was compromised, or still could be, is the “known unknown” in Egan’s scenario. Private keys to applications, usernames and passwords, bank account or payment information, and possibly even VoIP calls on instant messaging sessions could be open to unauthorized access.
The “unknown unknown” is the fact that security experts and system admins still don’t know how pervasive the exposure is for Internet-connected, cloud and enterprise application servers. “The only real certainty here,” Egan says, “is that mobility has far more scale than any ‘desktop’ issue. More people carry phones, and there are more mobile applications — both act as force multipliers to the cloud and other servers on the Internet that may have the OpenSSL vulnerability.”
With the full extent of vulnerabilities still unknown, and the possibility that hackers could grab certificates and keys now while the getting’s good, developing tools to exploit them down the road, Egan says there’s a lot of work to be done to re-establish security.
“Perhaps most unsettling of all, there isn’t anything a mobile user can do to fix the problem, except to suggest that the apps associated with big brands may move quickly to remediate any vulnerability,” Egan concludes. “I think we’re in for a long ride . . . and it’s going to fundamentally change the way we look at mobile applications.”