UK Insurance Giant Aviva Apple And MobileIron Systems Hacked Through Heartbleed


I’m afraid we can’t say we didn’t warn you.

For those of you outside the UK Aviva are one of the biggest insurance and pension providers in the UK so when they get hacked, it’s not small fry. Imagine the details they hold on every customer? Life policies, pensions, car, home, dependents, addresses, bank details, all manner of personal details.

You name it, they’ve got it.

But unfortunately they seem to have gone down the path that it’s ‘just a phone’ and that MobileIron are some sort of replacement for BlackBerry security and let their staff play Russian Roulette with iPhones and iPads all over the place.

Unfortunately the round has just made it to the chamber.

The picture above is the message the iPhones showed once the hacker took control. I suspect it was a tad disconcerting.

Here’s the article, direct from The Register, and the author might not seem so surprised at who rode to the rescue next time.

Heartbleed-based BYOD hack pwns insurance giant Aviva’s iPhones

Slabs and mobes moved to BB10 service… yes, you read that right

Mobile device management systems at insurance giant Aviva UK were last month hit by an attack based on the Heartbleed exploit that allowed hackers to royally screw with workers’ iPhones.

The insurance giant has played down the breach but El Reg’s mole on the inside claims Aviva is in talks about moving to a new platform in the wake of the incident.

Aviva was using BYOD service MobileIron to manage more than 1,000 smart devices such as iPhones and iPads. On the evening of the 20 May, a hacker compromised the MobileIron admin server and posted a message to those handhelds and the email accounts, according to our source.

The hacker then performed a full wipe of every device and subsequently took out out the MobileIron server itself.

Our tipster has forwarded a screenshot of the messages that everyone received before their phones got wiped. He claimed the incident caused millions in damages, a suggestion the insurance giant firmly denies.

In a statement sent to us, Aviva downplayed the impact of the breach, and moved to reassure clients that customer data was not exposed.

The issue was specific to iPhones and none of Aviva’s business data was accessed or lost. Someone gained access to a third party supplier, which also enabled them to reset mobile devices for some Aviva users. There were no financial losses or repercussions. It was an overnight issue and by the start of the next day we had begun to restore devices.
Aviva reportedly moved impacted staff onto a new Blackberry 10 service to manage all their Apple devices, and are in discussions with MobileIron reseller Esselar to cancel their contract. The incident was first reported by insurance industry site

In response to queries from El Reg, Mobileiron described the snafu at Aviva as an isolated problem that didn’t affect its other customers.

Our investigation concluded that this incident neither resulted from nor exploited any compromise or vulnerability in MobileIron systems or software. All indications are that this was an isolated incident that does not represent a threat to other MobileIron customers.
Ken Munro, a partner at Pen Test Partners who has looked into the security shortcomings of mobile device management systems, said one of the most surprising aspects of the attack was that it happened a full six weeks after Heartbleed was discovered in March because “any perimeter scan would have found it to be vulnerable”.

“Maybe it [the MobileIron server] was vulnerable, the creds were stolen, it was then patched, but the creds weren’t changed? Then the creds were used some time later,” Munro speculated. “The other possibility is that another filtering/proxying device in front of the MobileIron server was vulnerable, and creds were stolen from that instead.” he added.

The infamous Heartbleed security bug stems from a buffer overflow vulnerability in the Heartbeat component of OpenSSL. The practical upshot of the vulnerability is that all manner of sensitive data including encryption keys, bits of traffic, credentials or session keys might be extracted from unlatched systems. The flaw was first publicly disclosed in early April.

So, if you want to protect your company and, more importantly, your job, it’s time to get a grip and stop believing that anything matches BlackBerry security.

BB10 with BES…

Just can’t beat it.

So it’s probably a good time for you to come #BackToBlack…

Before you’re the next Aviva.

With thanks to concerned UTB member Joey for the heads up.


Bigglybobblyboo is a legend almost nowhere at all. He is a founder member of UTB and spends his spare time taking out his anger at the world with a fishfork and a spatula. He is also a Cribbage Master, having won 1 fight online as the other guy refused to turn up out of fear for his life.