17. May 2017

Heartbleed in 2017 – an examination.

mediaTest digital and CIPHRON investigate the phenomenon “Heartbleed”.

The vulnerability in OpenSSL named Heartbleed [CVE-2014-0160] still exists three years after their discovery. The two companies from Hanover CIPHRON and mediaTest digital have made it their business to prove the occurrence of the program error in a comprehensive investigation.
Heartbleed stands for a glaring error in the Crypthography Library OpenSSL, that provides SSL or TLS for authentication and encryption over networks. In 2014, the discovery of the security vulnerability caused a lot of excitement, as it allows the complete memory of the affected server to be read out within the affected network and, if the service is connected to the Internet, beyond that.

Procedure in the investigation of the data stock for Heartbleed
CIPHRON and mediaTest digital use a comprehensive analysis of their customer base to determine to what extent the vulnerability still occurs today and which apps are affected by it. Heartbleed does not underestimate the risk of suffering massive data loss when using an affected app and thus harming its users and customers.

Based on the extensive database of mediaTest digital – more than 60,000 app tests (Android and iOS) – IP addresses and URLs to which these apps connect were read. In addition to tracking services that collect user data, these include the backends that are required to use the apps.

Results of the study on Heartbleed
Only those services that use TLS or SSL encryption and authentication are relevant for the search for heartbleed events. After cleaning up the duplicate IP addresses, a total of 74,978 individual servers could be scanned. Only 0.13 percent – 96 percent of the servers examined – showed a heartbleed vulnerability that was not fixed three years after the vulnerability was discovered.

Occurrence of the OpenSSL vulnerability “Heartbleed” in 2017, based on the data stock of mediaTest digitalThe 96 affected servers were subjected to a more detailed check by CIPHRON and mediaTest digital. The result: A large part of the affected servers are located in the Far East, 34 servers alone have to be localized in China. Nevertheless, some servers used by German- and English-language apps have been identified, including a German fitness app and an app that processes patient data.

Location overview of the 96 servers affected by Heartbleed

All providers, the affected services and apps have been informed digitally about the findings by CIPHRON and mediaTest. To date, however, only a few people have responded by pointing to the existing vulnerability in their applications.
When it comes to Heartbleed, smartphone users don’t have to worry about their data security, as most providers have switched to content delivery networks (such as Cloudflare). As a result, most of the apps on the server side are no longer affected.

Additional investigation of samba vulnerability DOUBLEPULSAR
CIPHRON and mediaTest digital have also checked the data stock for the Samba vulnerability in accordance with the Heartbleed investigation. This vulnerability is a back door from the NSA, which became known in the course of the current NSA leaks and exploits the vulnerability “ETERNAL BLUE” in Samba. The backdoor “DOUBLEPULSAR” can be implemented via this gap. This vulnerability recently caused a worldwide sensation in the “WannaCry” incident – Ransomware, for example.

During the investigation, an affected server could be identified. The provider has not yet reacted to the find. Since the app, whose server shows anomalies, has not been updated for more than five years, it can be assumed that the provider no longer actively supports the app.

Do you have questions about these and other topics around IT security and app security? Please feel free to contact the experts of mediaTest digital and CIPHRON:

Wulf Bolte (CTO, mediaTest digital) et al.:
– SaaS Solution for Mobile Application Management (Appvisory)
– App-Security Audits
– Automatic App White- and Blacklisting incl. MDM-Integration

Karsten Kai König (Information Security Consultant, Ciphron) et al.:
– Penetration Tests
– Code Reviews

Related articles

By removing a check mark, you should be able to disagree with the data exchange between Facebook and WhatsApp. The mobile phone number of the WhatsApp user is given to Facebook anyway – our article shows why and which consequences this has!

In today’s APPVISE you can find out everything about the App Handelsblatt Online. Our Professional Service Marius Otto explains what happens to your data when you use the app!