Android 4.1.1 Vulnerable to Reverse Heartbleed
Google announced last week that Android 4.1.1 is susceptible to the Heartbleed OpenSSL bug. While Android 4.1.1 is, according to Google, the only Android version vulnerable to Heartbleed, it remains in use in millions of smartphones and tablets.
Google stated that less than 10 percent of active devices use Android 4.1.1, but official Google statistics only show the aggregated figure for Android 4.1.x, which is about 34 percent. According to Charles Arthur, reporting for The Guardian, the number of affected devices could be 50m, 4m in US alone. The figure is calculated based on data provided by the analytics firm Chitika, showing Android 4.1.1 users generated 19% of total North American Android 4.1 traffic.
The issue on Android could be more extended than that, though. Indeed, Marc Rogers, principal security researcher at Lookout Mobile, a provider of antimalware software for Android phones, said to Ars Technica that some customized versions of Android 4.2.2 have also been found to be susceptible and that other releases may contain the critical Heartbleed flaw as well.
Google has already patched Android 4.1.1 and distributed patching information to Android partners, according to its official statement. It remains to be seen, though, how the patch is effectively deployed, since Android software updates are controlled by carriers and handset manufacturers, not Google. Furthermore, carriers have previously failed to provide consumers with available security updates, as Ars Technica reported a while back.
The attention around Heartbleed has initially focused on the most direct scenario: a malicious client attacking an HTTPS server to steal cookies, private keys, and other secrets. Unfortunately, as security firm Meldium says, TLS heartbeats are symmetric, so they can be exploited on whichever connection endpoint, either the client or the server. Thus, a malicious server can send bad heartbeat packets to an unpatched client and potentially extract sensitive data from it.
According to Meldium, reverse Heartbleed is harder to exploit, since clients that use certificate pinning can quickly close the connection once they realize the server certificate does not match and server-initiated heartbeat requests require that a connection has been successfully established. Nevertheless, Meldium has proven that vulnerable clients can actually be made to send hundreds of 16kb chunks of memory back, if the server uses a few tricks to keep the connection open as long as possible.
Apple's iOS appears to be unaffected since Apple has never provided OpenSSL has part of iOS. Microsoft said that Windows' implementation of SSL/TLS is also not impacted. We've approached Microsoft for clarification with regards Windows Phone but haven't heard anything at the time of publication. We will update the post if we hear back from them.
Brandon Holt, Preston Briggs, Luis Ceze, Mark Oskin May 21, 2015
Kai Kreuzer, Olaf Weinmann May 21, 2015