Page 1 of 3 1 2 3 LastLast
Results 1 to 15 of 36

Thread: Some ZTE Valet phones are vulnerable to Heartbleed bug

  1. #1
    Join Date
    Apr 2013
    Location
    U.S.A.
    Posts
    59
    Feedback Score
    0

    Some ZTE Valet phones are vulnerable to Heartbleed bug

    From the "Google Online Security Blog" at http://googleonlinesecurity.blogspot...o-address.html ---

    You may have heard of “Heartbleed,” a flaw in OpenSSL that could allow the theft of data normally protected by SSL/TLS encryption. We’ve assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine. Google Chrome and Chrome OS are not affected. We are still working to patch some other Google services. We regularly and proactively look for vulnerabilities like this -- and encourage others to report them -- so that that we can fix software flaws before they are exploited.

    If you are a Google Cloud Platform or Google Search Appliance customer, or don’t use the latest version of Android, here is what you need to know:
    ...
    Android
    All versions of Android are immune to CVE-2014-0160 (with the limited exception of Android 4.1.1; patching information for Android 4.1.1 is being distributed to Android partners).
    My Tracfone ZTE Valet is running Android 4.1.1.

    I checked the FAQs and and Software Update parts of the ZTE site and took a quick look at the Tracfone site, but didn't see any obvious info. Not sure if I should check with TF or ZTE, but I wanted to note this exposure for other TF ZTE Valet owners. Until we learn more or a patch is made available, it would be prudent to think that https (secure) sites may be insecure for us.

    The more I read about this issue (and I read several dozen articles), the more I am convinced that security on Android devices is a crap shoot. My primary OS is Debian Linux and the Heartbleed patches were made available almost immediately. Luckily, my Android "tablet" (netbook running Android x86) is at 4.04 and safe. What to do about the phone?

    Great article on the problem of getting security fixes for Android is at http://www.zdnet.com/android-fragmen...es-7000028342/

  2. #2
    Join Date
    Apr 2013
    Location
    U.S.A.
    Posts
    59
    Feedback Score
    0

    Sent question to ZTE -- caution about their site

    I registered on the ZTE web site and sent them a question about Heartbleed and 4.1.1 -- whether there be an update and when we might expect it, citing the Google info.

    A caution about the ZTE web site, particularly if you reuse passwords on multiple websites. ZTE sent me an email confirming my site registration, complete with my password in clear text. I just nuked the email. I assume that a change in that password would result in another email with another plain text pw. Didn't try. Very, very, very dumb.

    Repeat after me: unencrypted email is like a postcard, not a sealed letter. Any letter carrier (any server handling the mail) can read it. It is even readable in your email app's trash bin.

  3. #3
    Join Date
    Jun 2011
    Posts
    2
    Feedback Score
    0
    I ran the Bluebox Heartbleed Scanner (free in the Play Store) on my Tracfone Valet and it is definitely vulnerable.

    Time to start rattling some cages...

  4. #4
    Join Date
    Apr 2013
    Location
    U.S.A.
    Posts
    59
    Feedback Score
    0
    Quote Originally Posted by RRJP View Post
    I ran the Bluebox Heartbleed Scanner (free in the Play Store) on my Tracfone Valet and it is definitely vulnerable.
    Since the scanner is a new app with relatively few users, I tried it on all my devices -- and it was correct on all my devices. It passed my Gingerbread 2.3.4 device and my Android x86 4.04 device.

    The scanner failed my ZTE Valet running 4.1.1 with the note that it was running "Android OS OpenSSL version 1.01c" and noting that "This version is vulnerable..." and that heartbeat was enabled (thus vulnerable). Appears to be a reliable scanner app.

    Since I intended to use my Valet with a VPN provider, using OpenSSL, as well as logging in to sites that require https, the Valet is useless as a secure web access device.

    Quote Originally Posted by RRJP View Post
    Time to start rattling some cages...
    Tracfone personnel monitor this board on occasion. If they could forward a pointer for this thread to their vendor relations people, it might be useful. Not much Tracfone can do directly; they have to ping ZTE. I suspect that Tracfone's advocacy might be very helpful.

  5. #5
    Join Date
    Apr 2013
    Location
    U.S.A.
    Posts
    59
    Feedback Score
    0
    Tried the new "Lookout Heartbleed Detector" app from the Play Store. https://play.google.com/store/apps/d...tbleeddetector

    It confirmed what the Bluebox scanner said.

    The version of OpenSSL on your device is affected by the Heartbleed bug (1.0.1c)

    And the vulnerable behavior is enabled
    Some links of interest ---

    https://blog.lookout.com/blog/2014/0...leed-detector/

    http://www.bloomberg.com/news/2014-0...bleed-bug.html

    http://bgr.com/2014/04/11/how-to-tes...android-phone/

    http://mashable.com/2014/04/11/devic...to-heartbleed/

    Nice to see the press (belatedly) getting interested in client-side issues. The server-side issues are, of course, the most serious, but one can't ignore the client-side issues.

  6. #6
    Join Date
    Apr 2013
    Location
    U.S.A.
    Posts
    59
    Feedback Score
    0

    Tracfone addressing issue via forums

    I searched for "heartbleed" on the main Tracfone site -- no hits.

    There is a thread in the Tracfone forums. TF personnel are PMing posters.

    https://www.tracfoneforum.com/viewto...=6184&t=530213

  7. #7
    Join Date
    Apr 2013
    Location
    U.S.A.
    Posts
    59
    Feedback Score
    0

    Tracfone says customers should contact ZTE directly

    TF doesn't want to discuss problems/issues in their forums. The TF person's PM told me to start a Live Chat session.

    It would not be proper for me to quote the chat transcript, but the bottom line was that TF won't be involved in supplying the update (if any) and the customer should contact ZTE directly.

    I didn't discuss this in the TF forums or ask other TF forum posters if they got the same answer. Their forum/their rules. Fair enough.

    Since I am a smartphone NOOB, I have no idea how updates are normally handled in the prepaid industry. If anyone has any experience, please share.

    I hope that ZTE CSRs will respond to my Saturday email.

    FWIW, I've decided that Android is a toy operating system. The lack of timely updates for major security issues is a show-stopper to me. Unless Google can improve this situation, I don't expect to buy another Android phone or an Android tablet. I'll stick to Kindle ebook readers and notebook computers. Windows phones are starting to look better and better - and 8.1 finally supports VPNs.

    Chromebooks, yes. Linux/Mac/Windows notebooks, yes. Android products, no.

    A real shame because I've been using Open Source for over 20 years.

  8. #8
    Join Date
    Apr 2013
    Location
    U.S.A.
    Posts
    59
    Feedback Score
    0

    Good article

    it is absolutely damning that an almost two-year, three-releases old Jelly Bean version of Android has been found to be vulnerable to Heartbleed.

    Of all the mobile operating systems that could have been impacted, fate decided to choose the one that upgrades between major versions at a pace that makes glacial an overstatement.

    Despite the fragmentation between differing versions of Android, it just happens that the impacted 4.1.x series of Jelly Bean is the version with the largest userbase by some stretch.

    In statistics published by Google at the start of the month, of Android devices that are accessing Google's Play Store, 5.3 percent of users are on the most recent KitKat release, 8.9 percent are on Jelly Bean 4.3, 18.1 percent use Jelly Bean 4.2, and 34.4 percent use the impacted Jelly Bean 4.1 series that was first released in mid-2012.
    Source: Heartboned: Why Google needs to reclaim Android updates
    http://www.zdnet.com/heartboned-why-...es-7000028331/

  9. #9
    Join Date
    Apr 2014
    Posts
    4
    Feedback Score
    0
    I just contacted ZTE. They said contact Tracfone. Sounds like another one of those runarounds with neither taking responsibility.

  10. #10
    Join Date
    Apr 2013
    Location
    U.S.A.
    Posts
    59
    Feedback Score
    0
    Quote Originally Posted by springazure View Post
    I just contacted ZTE. They said contact Tracfone. Sounds like another one of those runarounds with neither taking responsibility.
    Thanks, springazure. I haven't heard back from ZTE yet. I plan to bug both TF and ZTE if they point fingers at each other.

    It would appear that neither Google, the handset/tablet vendors, nor the carriers really want to see much publicity for this issue, as they don't have solutions ready (assuming they ever will).

    I decided to do a little "guerrilla marketing" on this issue. There is a fairly widely viewed webcast called "All About Android" on the twit.tv network. I've been a regular viewer and they do take user questions/submissions.

    I wrote up a concise summary of the issue, without naming handset vendor or carrier, with links to the Google bug statement, Bloomberg and Mashable summaries of the issue, and the ZDNET articles that describe the widespread impact of the bug, number of affected users, and damage to the Android brand.

    I'll be watching to see if they cover the issue. Show will broadcast live on Tuesday, April 15 from 5:00 to 7:00 PDT (Midnight UTC, I think) on live.twit.tv. Recorded audio/video is available the next day at http://twit.tv/show/all-about-android.

    From the show URL: "Viewers have a voice by sending emails to aaa@twit.tv or calling 347-SHOW-AAA".

    I did notice that the issue of client-side impact is just starting to appear in more mainstream news sources. (Google news had links to newspaper articles.)

  11. #11
    Join Date
    Apr 2014
    Posts
    4
    Feedback Score
    0
    Quote Originally Posted by secdroid View Post
    ...I wrote up a concise summary of the issue, without naming handset vendor or carrier
    ...

    Why not name them? They should be accountable.

  12. #12
    Join Date
    Apr 2013
    Location
    U.S.A.
    Posts
    59
    Feedback Score
    0
    Quote Originally Posted by springazure View Post
    ...

    Why not name them? They should be accountable.
    Absolutely.

    I wanted to present the issue as being of interest to all 34% of Android users who run 4.1.1, not just Valet users on Tracfone. The AAA people need to make their program interesting to a diverse audience. Plus, the more users who put pressure on their hardware vendors and/or carriers, the more press coverage, possibly resulting in a snowball effect that finally motivates ZTE and Tracfone.

    Google provided the patch code. To my knowledge, none of the hardware vendors or carriers have announced intent to upgrade, let alone an estimated availability date. I think the behavior of all the hardware vendors and carriers has been quite shameful. Kudos to ZDNet for being on top of this.

    Bottom line: the Android update ecosystem is really broken. Apple & M$/Nokia do it better.

    Did you contact ZTE via telephone, email app, or the email form on their support page? I still haven't heard back from them, although there might be a backlog from the weekend.

  13. #13
    Join Date
    Mar 2013
    Posts
    35
    Feedback Score
    0
    I guess the LG39C is good?

    Name:  Screenshot_2014-04-14-17-20-17.png
Views: 1384
Size:  47.9 KB

  14. #14
    Join Date
    Apr 2013
    Location
    U.S.A.
    Posts
    59
    Feedback Score
    0

    A tiny bit of progress

    I sent a followup email to ZTE and they finally responded, as expected:
    We request you to contact your service provider Tracfone.

    The after sales issue is taken care by your service provider.

    ZTE is assisting only for manufacturing the handset for them.

    You can contact them on 800-867-7183
    Perfectly reasonable, IMHO.

    I then logged in to the TF forums and requested another live chat, indicating that I had followed up on the instructions from the previous chat and the problem was unsolved. I got a PM with a link to start a new chat. I started the chat.

    This chat's CSR did not really understand the issue and apparently had not been given any guidance on how to address it. I was politely persistent. All of a sudden, the first CSR disappeared and was replaced by a new CSR.

    New CSR did have access to the entire chat transcript with first CSR. Great. New CSR read the transcript.

    I pointed out that TF said to contact ZTE, who said to contact TF. Runaround not solving issue.

    New CSR indicated that they did not have an update. CSR acknowledged that they can see the issue in their open forums and that they will have to escalate the issue. Woo hoo!

    I again requested a trouble ticket number, but was directed to submit a support ticket via a Facebook link.

    I don't use Facebook and requested a way to use email, which was provided.

    So, I will follow instructions and request a support ticket. I will not post the links because I don't think it appropriate and the more folks who contact TF directly, the better. If you care enough to request the fix yourself, you just might help motivate the escalation and resolution.

    FWIW, I think being politely persistent seems to work. Have the facts ready. The CSRs are doing the best they can, apparently with little guidance. (And they are much better than the Verizon DSL Level 1 CSRs I have dealt with!)

    So, this is much harder than it really should have been, but that is sort of understandable.

  15. #15
    Join Date
    Apr 2013
    Location
    U.S.A.
    Posts
    59
    Feedback Score
    0
    Quote Originally Posted by Legoman View Post
    I guess the LG39C is good?

    Name:  Screenshot_2014-04-14-17-20-17.png
Views: 1384
Size:  47.9 KB
    Warning: I am not an expert!

    Additionally, the issue of being vulnerable is a two step check, the first step is to check the version of OpenSSL embedded into the Android OS. The second check is determine the build configuration options. If the version of OpenSSL is vulnerable, but the build config disables heartbeats (-DOPENSSL_NO_HEARTBEATS) then the heartbeats are disabled and the build is not vulnerable.
    Source -- https://bluebox.com/blog/technical/h...obile-devices/
    So, I think you are OK, but I haven't studied this matter extensively.

    If it were me, I'd try the Bluebox Heartbleed scanner and read the docs.

    If I was still not sure, I'd try a few more of the highly rated scanners in the Play Store and read their docs.

    HTH.

Page 1 of 3 1 2 3 LastLast

Similar Threads

  1. Apps That Don't Work or Don't Work Well on the ZTE Valet Phone
    By StLouisMan2 in forum Other Manufacturers
    Replies: 0
    Last Post: 12-16-2013, 11:57 PM
  2. What are some gadget and phone magazines?
    By theantidote in forum The Lounge
    Replies: 16
    Last Post: 02-06-2005, 12:16 PM
  3. What are some good Sprint phones?
    By TazExprez in forum Sprint
    Replies: 39
    Last Post: 02-02-2005, 02:49 PM
  4. Replies: 3
    Last Post: 01-13-2004, 06:08 PM
  5. what are some other cell phone forums?
    By comptechgsr in forum General Mobile Questions and Discussion
    Replies: 12
    Last Post: 12-04-2002, 09:11 PM

Tags for this Thread

Bookmarks