[fabfreddie]

Heartbleed-based BYOD hack pwns insurance giant Aviva's iPhones

Slabs and mobes moved to BB10 service... yes, you read that right

Mobile device management systems at insurance giant Aviva UK were last month hit by an attack based on the Heartbleed exploit that allowed hackers to royally screw with workers' iPhones.

The insurance giant has played down the breach but El Reg's mole on the inside claims Aviva is in talks about moving to a new platform in the wake of the incident.


Aviva was using BYOD service MobileIron to manage more than 1,000 smart devices such as iPhones and iPads. On the evening of the 20 May, a hacker compromised the MobileIron admin server and posted a message to those handhelds and the email accounts, according to our source.

The hacker then performed a full wipe of every device and subsequently took out out the MobileIron server itself.

Hacker taunts Aviva after Heartbleed hack
Our tipster has forwarded a screenshot of the messages that everyone received before their phones got wiped. He claimed the incident caused millions in damages, a suggestion the insurance giant firmly denies.

In a statement sent to us, Aviva downplayed the impact of the breach, and moved to reassure clients that customer data was not exposed.

The issue was specific to iPhones and none of Aviva's business data was accessed or lost. Someone gained access to a third party supplier, which also enabled them to reset mobile devices for some Aviva users. There were no financial losses or repercussions. It was an overnight issue and by the start of the next day we had begun to restore devices.
Aviva reportedly moved impacted staff onto a new Blackberry 10 service to manage all their Apple devices, and are in discussions with MobileIron reseller Esselar to cancel their contract. The incident was first reported by insurance industry site Postonline.co.uk.

In response to queries from El Reg, Mobileiron described the snafu at Aviva as an isolated problem that didn't affect its other customers.

Our investigation concluded that this incident neither resulted from nor exploited any compromise or vulnerability in MobileIron systems or software. All indications are that this was an isolated incident that does not represent a threat to other MobileIron customers.
Ken Munro, a partner at Pen Test Partners who has looked into the security shortcomings of mobile device management systems, said one of the most surprising aspects of the attack was that it happened a full six weeks after Heartbleed was discovered in March because "any perimeter scan would have found it to be vulnerable".

"Maybe it [the MobileIron server] was vulnerable, the creds were stolen, it was then patched, but the creds weren’t changed? Then the creds were used some time later," Munro speculated. "The other possibility is that another filtering/proxying device in front of the MobileIron server was vulnerable, and creds were stolen from that instead." he added.

The infamous Heartbleed security bug stems from a buffer overflow vulnerability in the Heartbeat component of OpenSSL. The practical upshot of the vulnerability is that all manner of sensitive data including encryption keys, bits of traffic, credentials or session keys might be extracted from unlatched systems. The flaw was first publicly disclosed in early April. �

Heartbleed-based BYOD hack pwns insurance giant Aviva's iPhones �€� The Register

[jaydee5799]

OK the vulgarity not necessary but this is quite a story.

[fabfreddie]

Humour dear.

[mediadavid]

Quite an important story if true!

Posted via CB10

[GreenCopperz]

Wow, get back over to BlackBerry folks... should not have left.

Posted via CB10

[qbnkelt]

Quite an important story if true!

Posted via CB10

True....I'm trying to find other sources but it all comes from the same Register story. There's got to be someone else reporting on this.

[itsyaboy]

Very interesting! Hopefully some more facts will leak out...

[Jimberry Storm]

I'm torn, don't like hackers (usually the little guy pays for their whatever) but it is good news for BB, as long as they don't get hit as well.

[fabfreddie]

Steve Broughton's Experience

Technical Design Authority - BYOD & Mobile Engineering
Aviva plc
Public Company; 10,001+ employees; AV; Financial Services industry
September 2012 – Present (1 year 10 months) Norwich, United Kingdom

As part of the internal changes made during 2012, I became the Technical Design Authority for the BYOD & Mobile Engineering team. As part of these changes I'm technically responsible for the Mobile Device Management systems that Aviva use within their Office-365 environment.

> Provide Technical Consultancy for majority MDM related queries.
> Technical Lead for implementation of MobileIron Mobile Device Management system.
> Undertook training on MobileIron, produced documentation and then rolled out to all key areas of the business.
> Designed & Implemented BES10 infrastructure.
> Undertaken training on BES10 and now rolling our to key business areas.
> Training support teams to support BES10 Infrastructure.

Steve Broughton - United Kingdom | LinkedIn

The BES10 comes After the Mobileiron.

[AnimalPak200]

Story needs to be polished a bit and, of course, verified (although I bet none of the parties will be willing to comment on it),... but if the basic premise is true,.. then this is pretty big for BlackBerry.

Posted via CB10

[fabfreddie]

Why would the man in charge implement a BYOD system (MobileIron), then design, implement and train on another one afterwards BES10? When you are a monster like Aviva, you cannot have 2 managers. They have definitely but quietly begun the shift over to Blackberry.

[qbnkelt]

OK but who's Steve???? Is this a name I should know?

[fabfreddie]

He's the guy in charge of Aviva's BYOD and mobile division. When it comes to mobile he calls the shots, and Steve has clearly moved from MobileIron to BES10.

[qbnkelt]

Ah! Gotcha! Thanks...I feel so underconnected... :-P

Posted from my awesome Q10 via CB10.

[eddy_berry]

OK but who's Steve???? Is this a name I should know?

OMG Q! Everyone knows who Steve is. Steve's the man! That's who Steve is. Ahh... classic Steve.

[Trini-34]

Very interesting read. If I am reading this right- they hack a MDM console/server and from there they were able to send messages and wipe the devices enrolled in it. This is not showing a flaw in iphone's OS but a flaw on MobileIron's infrastructure. This is where BES10/12 can do some good! Thanks for sharing OP.
BBFTW!!!

[fabfreddie]

Exactly, and Chens new direction is for Blackberry to make money from it's services/software side, something that was not done before. Now if this situation can spread, it means RIM can make a whole pile of cash and we get to keep our cool devices regardless of outstanding sales.

[qbnkelt]

OMG Q! Everyone knows who Steve is. Steve's the man! That's who Steve is. Ahh... classic Steve.

*hangs head in shame and hurries behind file cabinet*

Posted from my awesome Q10 via CB10.

[Bla1ze]

Interesting, looking into it more now.

[eddy_berry]

*hangs head in shame and hurries behind file cabinet*

Posted from my awesome Q10 via CB10.

Well you can come out from there now. Soon everyone will know of Steve! It is Steve who has hung head in shame and then redeemed himself by resurrecting the powerful BlackBerry to Aviva! No need to hide behind file cabinets! BES will make you strong again!

Bwahahaha Steve...


I'm having way too much fun today.

[raino]

True....I'm trying to find other sources but it all comes from the same Register story. There's got to be someone else reporting on this.

Oh...you're interested in this story. What a shocker. Aren't you past your "I told you so!" quota for the year??

[qbnkelt]

Oh...you're interested in this story. What a shocker. Aren't you past your "I told you so!" quota for the year??

Not hardly love. Haven't made a dent. :-(

Posted from my awesome Q10 via CB10.

[The Big Picture]

I really don understand some of these MNC's I.T heads.

Stop trying to be "alternative" and go with what's secure.

BlackBerry has and will always be about enterprise security, dont try to be clever and choose other solutions when they are not really vaid. Wake the fu*k up.

Signature - Google wants your info. What are you gonna do about it?

[nikgilbe]

I really don understand some of these MNC's I.T heads.

Stop trying to be "alternative" and go with what's secure.

BlackBerry has and will always be about enterprise security, dont try to be clever and choose other solutions when they are not really vaid. Wake the fu*k up.

Signature - Google wants your info. What are you gonna do about it?

Having helped out a large MNC evaluate their options, security isn't always as high on the list as you might think. With BB reportedly on their deathbed last Sept/Oct according to the likes of Gartner, investing in BES10 was seen as too risky. Staying with BES5 was difficult as at the time there was a worldwide shortage of legacy BBOS devices. Add that to the push from CxO's to use personal i devices and alternative solutions started to seem more attractive.

In many cases, "good enough" security was considered adequate as most users didn't have much valuable info beyond the usual dull email chains.

Having said that, with BES12 being truly cross platform, and the hopefully ongoing resurgence of BB, fingers crossed common sense will prevail.

Z30STA100-2/10.3.0.296

[The Big Picture]

Having helped out a large MNC evaluate their options, security isn't always as high on the list as you might think. With BB reportedly on their deathbed last Sept/Oct according to the likes of Gartner, investing in BES10 was seen as too risky. Staying with BES5 was difficult as at the time there was a worldwide shortage of legacy BBOS devices. Add that to the push from CxO's to use personal i devices and alternative solutions started to seem more attractive.

In many cases, "good enough" security was considered adequate as most users didn't have much valuable info beyond the usual dull email chains.

Having said that, with BES12 being truly cross platform, and the hopefully ongoing resurgence of BB, fingers crossed common sense will prevail.

Z30STA100-2/10.3.0.296

I get that but it didnt really work out for Aviva in the end did it?

Why couldn't they ask BlackBerry themselves if they were on their deathbed rather than assume and believe the media? I though heads of MNC's were smarter than that? And if security wasnt very high on their list of criterias it should damn well now!

Unless again they choose to not learn and believe that they wont get hacked.

Signature - Google wants your info. What are you gonna do about it?