'Heartbleed-based BYOD hack' pwns insurance giant Aviva's iPhones

Slabs and mobes moved to BB10... yes, you read that right


Mobile device management systems at insurance giant Aviva UK were last month hit by an attack – purportedly based on the Heartbleed exploit, although the firm denies this – that appeared to allow the perpetrator to royally screw with workers' iPhones.

The insurance giant has played down the breach but El Reg's mole on the inside claims Aviva is in talks about moving to a new platform in the wake of the incident.

Aviva was using BYOD service MobileIron to manage more than 1,000 smart devices such as iPhones and iPads. On the evening of the 20 May, a hacker compromised the MobileIron admin server and posted a message to those handhelds and the email accounts, according to our source.

The hacker then performed a full wipe of every device and subsequently took out out the MobileIron server itself.

Hacker taunts Aviva after Heartbleed hack

Our tipster has forwarded a screenshot of the messages that everyone received before their phones got wiped. He claimed the incident caused millions in damages, a suggestion the insurance giant firmly denies.

In a statement sent to us, Aviva downplayed the impact of the breach, and moved to reassure clients that customer data was not exposed.

The issue was specific to iPhones and none of Aviva's business data was accessed or lost. Someone gained access to a third party supplier, which also enabled them to reset mobile devices for some Aviva users. There were no financial losses or repercussions. It was an overnight issue and by the start of the next day we had begun to restore devices.

Aviva reportedly moved impacted staff onto a new Blackberry 10 service to manage all their Apple devices, and are in discussions with MobileIron reseller Esselar to cancel their contract. The incident was first reported by insurance industry site Postonline.co.uk.

In response to queries from El Reg, Mobileiron described the snafu at Aviva as an isolated problem that didn't affect its other customers.

Our investigation concluded that this incident neither resulted from nor exploited any compromise or vulnerability in MobileIron systems or software. All indications are that this was an isolated incident that does not represent a threat to other MobileIron customers.

Ken Munro, a partner at Pen Test Partners who has looked into the security shortcomings of mobile device management systems, said one of the most surprising aspects of the attack was that it happened a full six weeks after Heartbleed was discovered in March because "any perimeter scan would have found it to be vulnerable".

"Maybe it [the MobileIron server] was vulnerable, the creds were stolen, it was then patched, but the creds weren’t changed? Then the creds were used some time later," Munro speculated. "The other possibility is that another filtering/proxying device in front of the MobileIron server was vulnerable, and creds were stolen from that instead." he added.

The infamous Heartbleed security bug stems from a buffer overflow vulnerability in the Heartbeat component of OpenSSL. The practical upshot of the vulnerability is that all manner of sensitive data including encryption keys, bits of traffic, credentials or session keys might be extracted from unpatched systems. The flaw was first publicly disclosed in early April.

Updated

MobileIron has been in touch to add the following statement:

"It is important to note that foundational components of the MobileIron Infrastructure are not vulnerable to the attack including our VSP (management console), Sentry (Secure Mobile Gateway), ConnectedCloud, Anyware, and the MobileIron client. None of these product components are vulnerable. We also conducted a recent webinar reviewing this for our customers." ®

Similar topics


Other stories you might like

  • AMD claims its GPUs beat Nvidia on performance per dollar
    * Terms, conditions, hardware specs and software may vary – a lot

    As a slowdown in PC sales brings down prices for graphics cards, AMD is hoping to win over the market's remaining buyers with a bold, new claim that its latest Radeon cards provide better performance for the dollar than Nvidia's most recent GeForce cards.

    In an image tweeted Monday by AMD's top gaming executive, the chip designer claims its lineup of Radeon RX 6000 cards provide better performance per dollar than competing ones from Nvidia, with all but two of the ten cards listed offering advantages in the double-digit percentages. AMD also claims to provide better performance for the power required by each card in all but two of the cards.

    Continue reading
  • Google opens the pod doors on Bay View campus
    A futuristic design won't make people want to come back – just ask Apple

    After nearly a decade of planning and five years of construction, Google is cutting the ribbon on its Bay View campus, the first that Google itself designed.

    The Bay View campus in Mountain View – slated to open this week – consists of two office buildings (one of which, Charleston East, is still under construction), 20 acres of open space, a 1,000-person event center and 240 short-term accommodations for Google employees. The search giant said the buildings at Bay View total 1.1 million square feet. For reference, that's less than half the size of Apple's spaceship. 

    The roofs on the two main buildings, which look like pavilions roofed in sails, were designed that way for a purpose: They're a network of 90,000 scale-like solar panels nicknamed "dragonscales" for their layout and shimmer. By scaling the tiles, Google said the design minimises damage from wind, rain and snow, and the sloped pavilion-like roof improves solar capture by adding additional curves in the roof. 

    Continue reading
  • Pentester pops open Tesla Model 3 using low-cost Bluetooth module
    Anything that uses proximity-based BLE is vulnerable, claim researchers

    Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor.

    Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has been paired with a Tesla back to the vehicle. Far from simply unlocking the door, this hack lets a miscreant start the car and drive away, too.

    Essentially, what happens is this: the paired smartphone should be physically close by the Tesla to unlock it. NCC's technique involves one gadget near the paired phone, and another gadget near the car. The phone-side gadget relays signals from the phone to the car-side gadget, which forwards them to the vehicle to unlock and start it. This shouldn't normally happen because the phone and car are so far apart. The car has a defense mechanism – based on measuring transmission latency to detect that a paired device is too far away – that ideally prevents relayed signals from working, though this can be defeated by simply cutting the latency of the relay process.

    Continue reading

Biting the hand that feeds IT © 1998–2022