UK Insurance Giant Aviva Apple And MobileIron Systems Hacked Through Heartbleed

heartbleed_aviva

I’m afraid we can’t say we didn’t warn you.

For those of you outside the UK Aviva are one of the biggest insurance and pension providers in the UK so when they get hacked, it’s not small fry. Imagine the details they hold on every customer? Life policies, pensions, car, home, dependents, addresses, bank details, all manner of personal details.

You name it, they’ve got it.

But unfortunately they seem to have gone down the path that it’s ‘just a phone’ and that MobileIron are some sort of replacement for BlackBerry security and let their staff play Russian Roulette with iPhones and iPads all over the place.

Unfortunately the round has just made it to the chamber.

The picture above is the message the iPhones showed once the hacker took control. I suspect it was a tad disconcerting.

Here’s the article, direct from The Register, and the author might not seem so surprised at who rode to the rescue next time.

Heartbleed-based BYOD hack pwns insurance giant Aviva’s iPhones

Slabs and mobes moved to BB10 service… yes, you read that right

Mobile device management systems at insurance giant Aviva UK were last month hit by an attack based on the Heartbleed exploit that allowed hackers to royally screw with workers’ iPhones.

The insurance giant has played down the breach but El Reg’s mole on the inside claims Aviva is in talks about moving to a new platform in the wake of the incident.

Aviva was using BYOD service MobileIron to manage more than 1,000 smart devices such as iPhones and iPads. On the evening of the 20 May, a hacker compromised the MobileIron admin server and posted a message to those handhelds and the email accounts, according to our source.

The hacker then performed a full wipe of every device and subsequently took out out the MobileIron server itself.

Our tipster has forwarded a screenshot of the messages that everyone received before their phones got wiped. He claimed the incident caused millions in damages, a suggestion the insurance giant firmly denies.

In a statement sent to us, Aviva downplayed the impact of the breach, and moved to reassure clients that customer data was not exposed.

The issue was specific to iPhones and none of Aviva’s business data was accessed or lost. Someone gained access to a third party supplier, which also enabled them to reset mobile devices for some Aviva users. There were no financial losses or repercussions. It was an overnight issue and by the start of the next day we had begun to restore devices.
Aviva reportedly moved impacted staff onto a new Blackberry 10 service to manage all their Apple devices, and are in discussions with MobileIron reseller Esselar to cancel their contract. The incident was first reported by insurance industry site Postonline.co.uk.

In response to queries from El Reg, Mobileiron described the snafu at Aviva as an isolated problem that didn’t affect its other customers.

Our investigation concluded that this incident neither resulted from nor exploited any compromise or vulnerability in MobileIron systems or software. All indications are that this was an isolated incident that does not represent a threat to other MobileIron customers.
Ken Munro, a partner at Pen Test Partners who has looked into the security shortcomings of mobile device management systems, said one of the most surprising aspects of the attack was that it happened a full six weeks after Heartbleed was discovered in March because “any perimeter scan would have found it to be vulnerable”.

“Maybe it [the MobileIron server] was vulnerable, the creds were stolen, it was then patched, but the creds weren’t changed? Then the creds were used some time later,” Munro speculated. “The other possibility is that another filtering/proxying device in front of the MobileIron server was vulnerable, and creds were stolen from that instead.” he added.

The infamous Heartbleed security bug stems from a buffer overflow vulnerability in the Heartbeat component of OpenSSL. The practical upshot of the vulnerability is that all manner of sensitive data including encryption keys, bits of traffic, credentials or session keys might be extracted from unlatched systems. The flaw was first publicly disclosed in early April.

So, if you want to protect your company and, more importantly, your job, it’s time to get a grip and stop believing that anything matches BlackBerry security.

BB10 with BES…

Just can’t beat it.

So it’s probably a good time for you to come #BackToBlack…

Before you’re the next Aviva.

With thanks to concerned UTB member Joey for the heads up.

Bigglybobblyboo

Bigglybobblyboo is a legend almost nowhere at all. He is a founder member of UTB and spends his spare time taking out his anger at the world with a fishfork and a spatula. He is also a Cribbage Master, having won 1 fight online as the other guy refused to turn up out of fear for his life.

  • ray689

    Apple and Mobile Iron…a marriage made in hacker heaven. Swiss Cheese Security at its best.

  • Undbiter65

    It’s unfortunate for any of this to happen, but it could’ve been prevented if they’d used BlackBerry 10 devices with BES10. Some people just learn the hardway.

  • jic BB

    Hey to the Aviva CEO: if you love your iPhone so much because the cool dudes at work want them …..thats fine !!
    BES 10 gives you that and much much much much MORE !!

    And while your at it ….add a few Z30’s to the pile and lets start using some productive attachment email for once because watching people use email on the toyish iOS is like watching useless work in progress ….!!!

  • web99

    Thanks for the post, Biggly. It just shows you that you can’t buy “But it’s just a phone” argument when you are an enterprise company that has a duty to protect sensitive customer information. It’s an unfortunate incident, but it just goes to show that one has to be serious about security. Hopefully Avita will have learnt their lesson and switch to BES 10 for their mobile management solution.

  • Canuckvoip

    Ah yes… Aviva went and gambled with their critical mobile security platform.

    Well… Let’s all sing along with our best Elvis impersonations shall we?

    “And they’re all livin’ devil may care
    And I’m just the devil with love to spare
    Aviva Las Vegas… Aviva Las Vegas”

    Thank you very much…
    http://www.lyricsfreak.com/e/elvis+presley/viva+las+vegas_20047905.html

  • web99

    They have moved their affected staff to BES 10. Good for them for making the move.

    http://n4bb.com/aviva-iphones-hacked-mobileiron-moves-impacted-blackberry/

    “The Register states “the hacker then performed a full wipe of every device and subsequently took out out the MobileIron server itself.”

    “In an apparent immediate response to the breach, Aviva has moved impacted staff over to BES 10 to manage their Apple devices, and according to The Register’s resources are in the process of canceling their contract with MobileIron.”

    • Bigglybobblyboo

      Yeah, it was in the article! locco_smiley_35

      It was an overnight issue and by the start of the next day we had begun to restore devices.
      Aviva reportedly moved impacted staff onto a new Blackberry 10 service to manage all their Apple devices, and are in discussions with MobileIron reseller Esselar to cancel their contract. The incident was first reported by insurance industry site Postonline.co.uk.

      N4BB just added their own bit on ours as did CB after them and why not? This story needs airing!

  • jic BB

    Its Time for the ” HACK LIST ” this is getting beyond scary now ….listed EMM companies like Mobileiron getting hacked , then hacking of a big insurance company , iCloud hacked or jailbreak choose what ever word you want …. I pick HACKED !!!

    Then my 10 year old son goes over to a neighbors to hack his itouch because his friend forgot his iTouch password ( True ) now thats scary !!!

    BlackBerry was bashed in the media so much , was bombarded by the SHORTS , and yes mismanaged…so OK that’s history now …my key was the BES adoption jumped from 800K to 1M and is now 1.2M and I predict will rise much higher much sooner ….. its Back to Black Time !!

  • razrrob

    Thanks for another wonderful post Biggly! Wonderful yet scary. Scary in the way these big corporations view our personal data as if it were nothing. Whilst I’m not directly affected by this, I hope the CIO of the company loses their job for their reckless behaviour

Top