Apple smart devices protected from 'Heartbleed' bug

Apple said users of smart devices running its iOS software face no risk from a flaw in the OpenSSL web security standard, despite BlackBerry working up a fix for its messenger service for iOS and Android devices.

David Emm, senior security researcher, Kaspersky Lab

David Emm, senior security researcher at Kaspersky Lab

The security flaw was revealed last week and has been widely dubbed 'heartbleed' because it occurs in an extension of OpenSSL named heartbeat. OpenSSL is used to protect online data, but the fault potentially allows cyber criminals to access the information in batches.

Although the bug is linked to web sites, concerns over the security of sites accessed via smartphones and tablets are growing.

An Apple spokesman told FierceWireless:Europe the company "takes security very seriously," and that its iOS mobile software, and OS X PC software, "never incorporated the vulnerable software".

As a result "key web-based services were not affected," the spokesman said.

Despite Apple's confidence, Canadian smartphone maker BlackBerry is gearing up to release patches for its messaging software on iOS and Android devices. A spokesman told Reuters the company's BBM messaging and Secure Work Space corporate email services are being upgraded to prevent hackers accessing data through Wi-Fi and cellular connections.

The BlackBerry spokesman said, however, that most of the company's products are secure, and that the risk to messenger service users is "extremely small."

David Emm, senior security researcher at security firm Kaspersky Lab, told FierceWireless:Europe there are two aspects to handset security. "The first is whether the handset itself is vulnerable, i.e. is it running a vulnerable version of the OpenSSL library?

"The second aspect relates to sites someone might visit from a mobile device. Any web site that makes use of the un-patched OpenSSL library to encrypt data is potentially at risk."

Emm noted that iOS doesn't use the OpenSSL standard, and that Google stated it is working to patch potential vulnerabilities in version 4.1.1 of its Android operating system. "So far there have been no known attacks targeting the vulnerability on such handsets."

While there have been no known attacks, Android version 4.1.1 is used in millions of smartphones globally, the International Business Times reported.

In a blog post, Google said it is distributing "patching information for Android 4.1.1" to its Android partners, and that all other versions of the operating system are "immune" to the fault.

Emm said smart device users should check whether web sites they visit have been updated to remove the OpenSSL fault, noting that even if their handset is safe "if someone is using it to access a vulnerable site, the data exchanged with that site could be compromised."

Up to 500,000 websites are potentially at risk, the BBC reported, citing figures from web monitoring company Netcraft.

For more:
- see this Reuters report
- see Google's blog post
- see this IBT article
- see this BBC report

Related Articles:
European court slams EC data retention rules, as UK commissioner questions use of interception rules
U.S. trade officials slam European calls for domestic communications network
European leaders discuss home-grown comms network to prevent U.S. spying
NSA, GCHQ target 'leaky' apps to gather data on smartphone users, according to Snowden leak.