Why certain Heatbleed exposures won’t be so easy for bad guys to exploit

April 23rd, 2014

By Byron Acohido, Last Watchdog

KINGSTON, Wash. – The security headaches raised by the Heartbleed coding flaw keep expanding.

sh_heartbleed_450pxArs Technica reporter Dan Goodin has broken stories about how the Canadian government and Yahoo Mail have been bitten by Heartbleed exploits in the wild. And there are numerous vendors and experts stepping forward with information on how Heartbleed could be exploited in pervasively used technologies. However, despite the high-alarm conveyed in media reporting and by security products marketers, it’s not trivial for individuals or even hacking collectives with ill-intent to capitalize.

Google, for instance,  last week warned that Android smartphones running version 4.1.1 of Google’s mobile operating system are vulnerable to Heartbleed attacks in which a bad guy might access  passwords, personal messages and other private information from the device. Last Watchdog asked Mojave Networks threat engineer Ryan Smith and Lookout Mobile Security principal researcher Marc Rogers to supply some context.

LW: How likely is it that the bad guys have already begun moving to triangulate and infect Android handsets vulnerable to Heartbleed?

Smith

Smith

Smith: We are unaware of any active attacks currently targeting vulnerable Android devices. Due to the difficulty and targeted nature of exploiting this vulnerability, it is very unlikely that attackers will launch widespread attacks against Heartbleed on Android.

If attackers were to launch an attack using the Heartbleed Android vulnerability, it’s more likely that they would conduct targeted attacks against higher value targets. The potentially high sensitivity of the information that can be leaked by this bug makes it a lucrative target, but the difficulty and relatively small number of victims makes it likely to be limited to small-scale targeted attacks.

Rogers: Client side attacks using this bug are a very real possibility, however, I think the cybercriminals will still be focusing on server-side attacks. This is because the client-side attack is difficult to implement and the gains are hard to quantify. While its likely that sensitive information could be exposed its by no means certain. Also, because of Android’s app sandboxing, the attack will only be able to take 64k of memory from the app that was running OpenSSL.

LW: Do you anticipate that elite cybercrime and cyberspy groups will leverage Heartbleed to accelerate phishing campaigns and malware spreading?

Smith: Targeted spear phishing and watering hole attacks are the most likely types of attacks to be used against the Heartbleed Android bug. That said, the relatively low number of vulnerable users makes it unlikely that this will be a major factor in any malicious campaign. The nature of this attack is that there’s no guarantee what information you’ll receive even if you do find a vulnerable victim.

If an attacker were able to lure a vulnerable mobile user to a malicious website, they may be able to get their session keys to websites (banks, email, etc.) that they’ve logged into recently or other sensitive information, but they may end up with uninteresting data. With the possibility of getting such valuable keys, passwords, session tokens, etc, this will most likely be another tool in attackers’ war chest but it’s unlikely that it will see much action.

Rogers

Rogers

Rogers: Cybercrime groups will see this as a great opportunity to attack things like VPN concentrators and worker portals. The credentials they might get through attacking these systems could be very valuable when attacking bigger, much more secure organizations.

As we all know now, Target was compromised after an attacker went after the smaller, less secure HVAC company that Target used to monitor its in-store HVAC equipment. Attackers knew the HVAC network had a connection that largely bypassed Target’s perimeter security, so they leveraged that smaller company as a staging point into Target’s network. Heartbleed offers this type of opportunity on a grand scale.

LW: So is the Android Heartbleed threat overstated?

Smith: This is not to say that users should not take this seriously and update their devices if they have Android 4.1.1. Although it’s unlikely that attackers will weaponize this vulnerability in a wide scale manner, the data at risk is highly sensitive and the longer this vulnerability goes unpatched, the longer attackers have to build it into their exploit frameworks, and the more likely it is that users will be affected. Basically, be safe but no need to panic.

Rogers: There are still many vulnerable servers and equally concerning is the fact that there is still a lot of vulnerable infrastructure out there – things like firewalls and VPN concentrators. Unlike the sophisticated attacks necessary to exploit a vulnerable client, these would be simple point-and-click exercises that will yield everything from SSL certificate keys and network keys to usernames and passwords.

Regarding government spying, Heartbleed also offers government agencies the opportunity to capture private SSL keys from vulnerable sites. Once someone has the SSL key for that site, they will be able to decrypt any SSL traffic they may be holding as part of a wider interception and storage program. Changing the SSL certificate only protects future traffic. Anything captured before we knew about heartbleed would still be vulnerable.