Mobile device management systems at insurance giant Aviva UK were last month hit by an attack – purportedly based on the Heartbleed exploit, although the firm denies this – that appeared to allow the perpetrator to royally screw with workers' iPhones.
The insurance giant has played down the breach but El Reg's mole on the inside claims Aviva is in talks about moving to a new platform in the wake of the incident.
Aviva was using BYOD service MobileIron to manage more than 1,000 smart devices such as iPhones and iPads. On the evening of the 20 May, a hacker compromised the MobileIron admin server and posted a message to those handhelds and the email accounts, according to our source.
The hacker then performed a full wipe of every device and subsequently took out out the MobileIron server itself.
Hacker taunts Aviva after Heartbleed hack
Our tipster has forwarded a screenshot of the messages that everyone received before their phones got wiped. He claimed the incident caused millions in damages, a suggestion the insurance giant firmly denies.
In a statement sent to us, Aviva downplayed the impact of the breach, and moved to reassure clients that customer data was not exposed.
The issue was specific to iPhones and none of Aviva's business data was accessed or lost. Someone gained access to a third party supplier, which also enabled them to reset mobile devices for some Aviva users. There were no financial losses or repercussions. It was an overnight issue and by the start of the next day we had begun to restore devices.
Aviva reportedly moved impacted staff onto a new Blackberry 10 service to manage all their Apple devices, and are in discussions with MobileIron reseller Esselar to cancel their contract. The incident was first reported by insurance industry site Postonline.co.uk.
In response to queries from El Reg, Mobileiron described the snafu at Aviva as an isolated problem that didn't affect its other customers.
Our investigation concluded that this incident neither resulted from nor exploited any compromise or vulnerability in MobileIron systems or software. All indications are that this was an isolated incident that does not represent a threat to other MobileIron customers.
Ken Munro, a partner at Pen Test Partners who has looked into the security shortcomings of mobile device management systems, said one of the most surprising aspects of the attack was that it happened a full six weeks after Heartbleed was discovered in March because "any perimeter scan would have found it to be vulnerable".
"Maybe it [the MobileIron server] was vulnerable, the creds were stolen, it was then patched, but the creds weren’t changed? Then the creds were used some time later," Munro speculated. "The other possibility is that another filtering/proxying device in front of the MobileIron server was vulnerable, and creds were stolen from that instead." he added.
The infamous Heartbleed security bug stems from a buffer overflow vulnerability in the Heartbeat component of OpenSSL. The practical upshot of the vulnerability is that all manner of sensitive data including encryption keys, bits of traffic, credentials or session keys might be extracted from unpatched systems. The flaw was first publicly disclosed in early April.
MobileIron has been in touch to add the following statement:
"It is important to note that foundational components of the MobileIron Infrastructure are not vulnerable to the attack including our VSP (management console), Sentry (Secure Mobile Gateway), ConnectedCloud, Anyware, and the MobileIron client. None of these product components are vulnerable. We also conducted a recent webinar reviewing this for our customers." ®