| BOSTON, April 13
BOSTON, April 13 BlackBerry Ltd said it
plans to release security updates for messaging software for
Android and iOS devices by Friday to address vulnerabilities in
programs related to the "Heartbleed" security threat.
Researchers last week warned they uncovered Heartbleed, a
bug that targets the OpenSSL software commonly used to keep data
secure, potentially allowing hackers to steal massive troves of
information without leaving a trace.
Security experts initially told companies to focus on
securing vulnerable websites, but have since warned about
threats to technology used in data centers and on mobile devices
running Google Inc's Android software and Apple Inc's
Scott Totzke, BlackBerry senior vice president, told Reuters
on Sunday that while the bulk of BlackBerry products do not use
the vulnerable software, the company does need to update two
widely used products: Secure Work Space corporate email and BBM
messaging program for Android and iOS.
He said they are vulnerable to attacks by hackers if they
gain access to those apps through either WiFi connections or
Still, he said, "The level of risk here is extremely small,"
because BlackBerry's security technology would make it difficult
for a hacker to succeed in gaining data through an attack.
"It's a very complex attack that has to be timed in a very
small window," he said, adding that it was safe to continue
using those apps before an update is issued.
Google spokesman Christopher Katsaros declined comment.
Officials with Apple could not be reached.
Security experts say that other mobile apps are also likely
vulnerable because they use OpenSSL code.
Michael Shaulov, chief executive of Lacoon Mobile Security,
said he suspects that apps that compete with BlackBerry in an
area known as mobile device management are also susceptible to
attack because they, too, typically use OpenSSL code.
He said mobile app developers have time to figure out which
products are vulnerable and fix them.
"It will take the hackers a couple of weeks or even a month
to move from 'proof of concept' to being able to exploit
devices," said Shaulov.
Technology firms and the U.S. government are taking the
threat extremely seriously. Federal officials warned banks and
other businesses on Friday to be on alert for hackers seeking to
steal data exposed by the Heartbleed bug.
Companies including Cisco Systems Inc,
Hewlett-Packard Co, International Business Machines Corp
, Intel Corp, Juniper Networks Inc,
Oracle Corp Red Hat Inc have warned customers
they may be at risk. Some updates are out, while others, like
BlackBerry, are rushing to get them ready.
While there have been no public reports of successful
attacks involving the Heartbleed vulnerability, researchers say
that it has been around for several years. That means that
hackers could have successfully been using it without being
caught since attacks do not leave any traces.
(Reporting by Jim Finkle; Editing by Leslie Adler)