back to article 'Heartbleed-based BYOD hack' pwns insurance giant Aviva's iPhones

Mobile device management systems at insurance giant Aviva UK were last month hit by an attack – purportedly based on the Heartbleed exploit, although the firm denies this – that appeared to allow the perpetrator to royally screw with workers' iPhones. The insurance giant has played down the breach but El Reg's mole on the …

COMMENTS

This topic is closed for new posts.
  1. Captain Scarlet Silver badge
    Coffee/keyboard

    Ouch

    I would hate to be on Helldesk in the morning after this occured (Although if it was used as an alarm might be more balanced as staff wakeup realising their alarm didnt go off).

    1. Stevie

      Re:I would hate to be on Helldesk in the morning after this occured

      No problem: helldesk number erased along with angry birds and bejeweled.

  2. Yet Another Anonymous coward Silver badge

    Good to know

    That wiping every employees mobile phone after extracting all the data from it represented no financial loss to the company and no risk to customers.

    Normaly if some hacker merely gets onto their web server he is accused of causing millions in damamges

    1. Roo

      Re: Good to know

      Tough balance for the PR hacks to get right. If they claim lots of damages they look bad, on the other hand if they pretend no harm was done it makes it harder to justify a serious sentence for the hacker, although I have no doubt they will discover some evidence showing huge damage should it go to court...

      1. Steve Evans

        Re: Good to know

        The claims of damage are reaching US levels of silliness.

        Are they really claiming the data on these devices wasn't backed up elsewhere?

        If that really is the case, then whoever specified the system (and penny pinched when an offline backup was suggested), should be given the bill.

        1. Fatman

          Re: Good to know

          If that really is the case, then whoever specified the system (and penny pinched when an offline backup was suggested), should be given the bill a fat bonus for saving the company money.

          FTFY!!!

    2. Vince

      Re: Good to know

      Of course, this does explain why Insurers always find it incredible that you do sustain losses when you make claims, if they think 1000's of devices being reset had no cost.

      Given they've got a bunch of iwhatever though, I'm not surprised. Surely everyone knows they're really just company paid for so everyone can have shiny toys to use at home?

      1. Anonymous Coward
        Anonymous Coward

        Re: Good to know

        "Surely everyone knows they're really just company paid for so everyone can have shiny toys to use at home?"

        I wondered about that. The headline talks of BYOD, so was this company owned, or employee owned? If it was "real" BYOD, staff would have had their personal devices wiped due to a company/supplier flaw, which give an new excuse to those wanting to avoid the travails of BYOD: Sysadmins the world over now have the perfect response to berks wanting to use their own phone. Whereas before the response was "using your device will compromise company security", presumably the response now is "useless company security will compromise your device".

        1. NeilMc

          Re: Good to know

          BYOD is just a ticking time bomb for Employers who now have to factor into employment contracts how they deal with personal claims for data loss and injury based on company actions or indeed the actions of their chosen partners as in this case.

          BYOD is flawed simple as; it intro's more issues / challenges than it creates opportunities.

          Unless you are self employed or contracting BYOD makes no sense whatsoever.......

    3. Anonymous Coward
      Anonymous Coward

      Re: Good to know

      That wiping every employees mobile phone after extracting all the data from it represented no financial loss to the company and no risk to customers.

      Where did TFA say they extracted any data? The hacker just wiped, and they state no information was compromised. Of course, they could be lying or unaware, but you can't claim otherwise without proof or at least saying "possibly".

      1. Yet Another Anonymous coward Silver badge

        Re: Good to know

        MobileIron claims that it offers a full management system for data on your mobile devices.

        Unless they can prove that this hack was somehow able to post messages, send email and wipe the devices but somehow wasn't able to "fully manage" the data - you should assume that they slurped everything.

        1. Internet ToughGuy

          Re: Good to know

          Comments like this show a readiness to post, and yet no understanding of what MobileIron, or other MDM solution, offer. MDM solutions can wipe devices, partially or fully, without the admin being able to see the data being removed. If I uninstall outlook from your PC, that doesn't mean I can read your email. MobileIron allows admins to see what apps are installed on a device, but not the data within those apps. Certain apps can be pushed/removed, but the data from them is not "extracted", it's just wiped. In this instance, it seems that the hacker used acquired admin credentials (MobileIron has LDAP integration, so it's also possible that these credentials had access to other systems).

          The article makes it sound like MobileIron was compromised by the heartbleed vulnerability. MobileIron isn't vulnerable to this. However, like any system, if somebody logs in with administrator credentials, they are free to perform administrative tasks, which can include messages and wiping of devices. If they wanted to access corporate data, this isn't the way to see it. all they did was prevent mobile users from seeing theirs. However, if the credentials they used also had administrative privileges for mail/file servers, that's where their data could be at risk, and this risk is neither enhanced nor hindered by MobileIron or any other MDM being installed onsite. The story here is that admin credentials were compromised and used to wreak havok. the system they accessed is almost irrelevant, and replacing their current MDM solution with another one simply shows that nobody seems to actually understand what happened. The replacement MDM solution will still require admin credentials, and anyone with those credentials will be able to do exactly the same.

  3. Matt_payne666

    I wonder whos fault that was? Mobile iron, or Aviva for not patching fast enough, either or, id not like to be part of the IT team!

    1. Matt Bryant Silver badge
      Alert

      Re: Matt_payne666

      The really funny bit is Mobileiron were in here not too long ago bragging about how many companies they supplied to - could be a lot of IT people rushing around this morning to either patch or replace their Mobileiron stacks!

      1. Anonymous Coward
        Anonymous Coward

        Funny ....

        only last week someone from a UK reseller was plugging MobileIron to us, *and* pointing to Aviva as a good reason why we should look.

        Epic fail - I'd love to have the icon, but best stay AC for this ;)

    2. Anonymous Coward
      Anonymous Coward

      Let's not forget this one.

      http://forums.theregister.co.uk/forum/3/2012/04/22/Drewc_Great_HR_mistakes_of_our_time_Aviva_fires_1300_by_email/

      Disgruntled employee?

      Bad security?

      Sounds to me like someone was able to remote wipe all the devices and just did, but whether it was for the pure sadistic joy of it or some other reason, we may never know.

  4. wolfetone Silver badge

    Ah Aviva, quoting BlackBerry happy.

  5. future research
    Facepalm

    Admin Access from outside.

    So, why was admin login to MobileIron available from outside Aviva? I would have allowed it to only be accessible via a two factor VPn, or just from within Aviva itself.

    1. Yet Another Anonymous coward Silver badge

      Re: Admin Access from outside.

      It was on in the default and nobody read the manual ?

  6. Tommy Pock

    We're they insured?

    1. Robert Helpmann??
      Childcatcher

      We're they insured?

      Ye's - self insured.

    2. Arachnoid
      Facepalm

      We're they insured?

      Nothing to claim as no damage occurred

      1. Destroy All Monsters Silver badge

        Re: We're they insured?

        Say no more!

    3. Tommy Pock

      Oh autocarrot, how I hate you.

    4. asiaseen

      The big question is were Mobilron insured by Aviva?

  7. Dieter Haussmann

    It isn't an iPhone/iOS issue, it's a MobileIron/MDM one.

    1. wolfetone Silver badge

      Well, it could be argued it is. If the staff all used BlackBerry's they would use the BlackBerry Services software that MobileIron immitates. Because Aviva want to save a few pounds and not issue their own handsets to their staff they decide to use this MobileIron thing instead, allowing BYOD harmony.

      But I agree, it's not an iOS issue. I would also say it's not a MobileIron issue, it's a Heartbleed issue.

      1. Anonymous Coward
        Anonymous Coward

        Bull

        Its a MobileIron issue, if they haven't patched Heartbleed weeks after the exploit was made public. Possibly a Aviva issue, if a MobileIron patch has been available a while and their admins hadn't applied it yet.

    2. Internet ToughGuy

      nope, it's an admin/password issue. MobileIron wasn't hacked in this case, it was accessed using admin credentials obtained by some other means. MobileIron isn't susceptible to heartbleed.

      1. Anonymous Coward
        Anonymous Coward

        If that's really the case

        The Reg should be hearing from MobileIron's lawyers soon.

        The article said it was related to Heartbleed, you are claiming it is not. What is your source for this?

        1. tom dial Silver badge

          Re: If that's really the case

          The article said it was Heartbleed, but offered no evidence whatever, only a "purported" connection together with conjecture and a somewhat misleading description of the Heartbleed vulnerability. The source linked,

          http://www.postonline.co.uk/post/news/2349943/aviva-mobile-phones-hit-by-in-third-party-cyber-attack

          does not mention Heartbleed. The only indication of a connection between this event and the Heartbleed OpenSSL vulnerability appears to be "hart bled" in the text message pictured. So it is entirely appropriate to question how the access was made and how any necessary credentials might have been obtained.

  8. chris 17 Silver badge

    they'll bill hundreds of millions for unspecified IT losses in their balance sheets for this

  9. Hans 1

    "It is important to note that foundational components of the MobileIron Infrastructure are not vulnerable to the attack including our VSP (management console), Sentry (Secure Mobile Gateway), ConnectedCloud, Anyware, and the MobileIron client. None of these product components are vulnerable. We also conducted a recent webinar reviewing this for our customers."

    If I were MobileIron^H^H^H^HGlass, I would check again.

    Imagine they had managed to get credentials, that would mean they were probably accessing other systems as well - however, since it is limited to MobileGlass, I guess their server was not patched OR MobileGlass is still vulnerable ....

  10. Hans 1

    Around 300 000 servers on the internet are still vulnerable to heartbleed, 300k!

    Check your servers again, guyz, to be on the safe side.

  11. Web99

    This just shows that if you are an enterprise company with sensitive information, you can't afford to skimp on security. In light of this incident, they should probably consider BES 10 for their MDM solution, as it can manage IOS, Android and BB10 devices has a very good reputation for security.

    1. Anonymous Coward
      Anonymous Coward

      @Web99,

      "This just shows that if you are an enterprise company with sensitive information, you can't afford to skimp on security."

      Quite right. It also highlights that the company is incompetent when it comes to assessing risk to their own business. That is somewhat ironic given that they're an insurance company. What's the betting that they had bought the 'cheapest' solution...

      What they should have been asking was, "Do I absolutely need BOYD for my business?". If the answer was 'yes' then they should then have considered how best to go about it given that they were then going to stake their entire business on it working properly.

      "In light of this incident, they should probably consider BES 10 for their MDM solution, as it can manage IOS, Android and BB10 devices has a very good reputation for security"

      The article says that this is exactly what they have done. BES10 seems to have a FIPS 140-2 rating for Android, BlackBerry and iPhone.

      Aviva have just learned that those accreditations do actually mean something. They should have been looking for things like that to seek assurance that the 'bet-the-company' decision was well informed. Getting that decision wrong like they had done was putting their company in a very bad position. If it turns out that Aviva have suffered a data loss as well that might very well destroy their reputation and their whole business.

      A managed BlackBerry handset (with BlackBerry Balance) is a very well set up system. The security doesn't get in the way of usability or the user's freedom to install their own apps, use Facebook, Twitter, etc. I suspect that the same level of integrated usability and convenience doesn't quite exist on BES10 managed iPhones or Androids.

      1. This post has been deleted by its author

      2. Destroy All Monsters Silver badge

        "FIPS 140-2 rating"

        1) What level

        2) Where is the "cryptographic module"?

        3) Amazingly, it is very often possible to hack around the cryptographic module.

        those accreditations do actually mean something

        SNORT. They mean that money was pushed to "consultants" to obtain an accreditation. Basically, a feature for people with lots of money, pointy hairs and a stamp fetish.

        And then: OpenSSL is accredited!

        Did I mention this? It used to be in the standard: "Deterministic Random Number Generators, Number 4: (Removed) Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA)"

        Yeah.

        And from the this presentation, we bring this pricelessness. Yep, ECDSA never worked in OpenSSL in the first place.

        But wouldn’t the FIPS validation have caught the fact that the OpenSSL implementation didn’t work? Not only the original validation but many subsequent validations have successfully passed the algorithm tests ... several hundred times now. That’s a lot of fail ... the FIPS 140-2 2 validation testing isn’t very useful for catching real-world problems (“Flaw in Dual EC DRBG (no, not that one)”, Steve Marque)

        Enough.

      3. tom dial Silver badge

        FIPS 140-2 refers to validation of cryptographic modules. Unauthorized use of creds has nothing to do with cryptography, although how the creds were obtained might.

        For what it's worth, the OpenSSL FIPS object module (OpenSSL was mentioned in the article, but only in speculation) has been FIPS 140 validated for several years (most recently on 12/20/2013) at 140-2, when built, deployed, and used according to a precise recipe. When I last looked, it was the only cryptographic module validated in the form of source code. One may reasonably conclude that (1) validation of cryptographic functions does not guarantee there are no bugs; and (2) cryptography is a necessary part of overall security, but far from a sufficient one.

        In all likelihood, insider threats, whether malicious or accidental, still are the most likely to become problems.

  12. Anonymous Coward
    Anonymous Coward

    Screenshot

    Yep it's definitely genuine. iPhone with a flat battery and bad signal.

  13. Anonymous Coward
    Anonymous Coward

    Minimalist, Cheap and Partial Accreditation?

    MobileIron's statement:

    "It is important to note that foundational components of the MobileIron Infrastructure are not vulnerable to the attack including our VSP (management console), Sentry (Secure Mobile Gateway)............"

    doesn't look so good up against:

    "Aviva reportedly moved impacted staff onto a new Blackberry 10 service to manage all their Apple devices, and are in discussions with MobileIron reseller Esselar to cancel their contract."

    I couldn't help but notice that MobileIron's website says:

    "An accredited Cryptographic and Security (CST) laboratory has validated MobileIron’s use of FIPS 140-2 cryptographic libraries to be in full compliance with the Cryptographic Module Validation Program (CMVP)"

    Yet it would appear that full FIPS 140-2 compliance requires a whole lot more than that.

    So has MobileIron been caught using only partial FIPs compliance solely to gain the right to put the words "FIPS 140-2" and "compliant" on the same page on their website? Though I'm sure they wouldn't intentionally seek to create the impression that their product has somehow been sprinkled with the whole packet of FIPS fairy dust...

  14. Anonymous Coward
    Anonymous Coward

    No losses

    Really just reaffirms that all those phones are actually just toys, and not positively affecting productivity at all.

  15. Anonymous Coward
    Anonymous Coward

    sequence of events

    Aviva outsources email to a third party mobileiron service provider. Users (who are too stupid to realise BYOD means they are spending their own money on IT equipment that should be provided to do their jobs) install the MI client. The third party server o/s gets hacked probably due to poor perimeter controls. MobileIron service running on compromised server then accessible to remote hacker who issues the 'if you get this message wipe the device' message and since the MI client permits this, then all users personal devices are wiped of all apps and data.

    I'll leave it as an exercise for the reader to list the lessons to be learnt here.

  16. Anonymous Coward
    Anonymous Coward

    The Insurance Racket

    "There were no financial losses or repercussions." For Aviva this is true. It's their customers who will probably pay for any losses or 'repercussions'.

    You suffer a loss, for example as a victim of a burglary, and the insurance company increase your premium so you pay the cost of your own claim. Just to rub financial salt into the emotional wound of being a victim.

    The insurance company suffer a loss, for example as a result of a virtual burglary, and they will create an 'unavoidable' excuse to increase your premium.

  17. Anonymous Coward
    Anonymous Coward

    Misleading article

    As someone who administers MobileIron in my workplace, if they had the password to access the management console, they'd be able to send those messages and wipe the devices, but wouldn't be able to access corporate data. That interface merely administers registration etc for the devices.

    Also, as MobileIron said, their infrastructure is not vulnerable to heartbleed because it doesn't use OpenSSL, so it's clearly a case of a password ending up in the wrong hands or a disgruntled employee, rather than a technical vulnerability. Not sure why they made the heart bleed reference in the messages sent out to everyone, but perhaps just to make it seem like they were more clever than they really were.

  18. Internet ToughGuy

    Missing the point

    There are a few incorrect conclusions drawn here. Moving to BES will not solve anybody's issues. Neither will they be solved by moving to another MDM solution. In this instance, someone obtained administrator credentials, presumably by exploiting the Heartbleed vulnerability. Using the admin credentials, they then accessed the MobileIron server and sent messages and wiped devices.

    Let's say for a second that BES had been in place. Hacker obtains admin credentials, and wipes devices. No difference. The problem is the leaking of admin credentials, which were not obtained through the MobileIron system, just used to access it. If the hacker had used the same credentials to delete/reset the mail server, would this article having been blaming Exchange? It seems that the company didn't patch servers for heartbleed, and got hacked, MobileIron was just a tool on the network that got used, but the failure to secure servers is actually the problem here, and replacing MobileIron will do nothing to resolve that.

  19. This post has been deleted by its author

  20. Anonymous Coward
    Anonymous Coward

    "it happened a full six weeks after Heartbleed was discovered in March"

    Ok, so maybe it's not Heartbleed - but I'm pretty sure Heartbleed was discovered before march...

    - not that I'm "picking holes" or anything..

    Mine's the coat with the attached woven-copper-lined silver-foil hat, obviously.

This topic is closed for new posts.