BlackBerry readies Heartbleed fix for BBM Messenger
In the works are updates for two popular BlackBerry products, Secure Work Space corporate email and the BBM messaging program for Android and iOS.
BlackBerry plans to release a set of updates to plug the security holes left by the OpenSSL flaw Heartbleed.
Heartbleed is a security flaw discovered by researchers this month. The vulnerability is found in OpenSSL software used to keep data secure across a variety of services, including across messaging, content sharing, online shopping and banking.
Through the flaw, hackers can theoretically communicate with a server, steal large amounts of data, and vanish without a trace.
The engineer who contributed the code to OpenSSL resulting in Heartbleed spoke out last week, stating that the problem was "accidental" and not malicious as some parties have claimed.
While there are yet to be public reports of hackers using the vulnerability to steal data, the security flaw has been present for several years.
A number of companies have issued patches to stem the problem, including Google, Facebook, YouTube, Yahoo and Pinterest. According to Reuters, BlackBerry is now next on the list: BlackBerry senior vice president Scott Totzke said the company will need to update two popular products, Secure Work Space corporate email and BBM messaging program for Android and iOS.
Totzke says that the majority of BlackBerry services do not use OpenSSL and therefore are impervious to Heartbleed, but Secure Work Space and BBM messaging may be vulnerable if cybercriminals gain access to these apps through Wi-Fi or carrier networks. Security patches are being issued as a cautionary measure, as the risk of this happening is "extremely small," according to the BlackBerry executive.
"It's a very complex attack that has to be timed in a very small window," Totzke insists, and so believes it is safe to continue using these services until patches are released.
OpenSSL Software Foundation president Steve Marquess has requested that donations to the project be contributed by governments and businesses who use OpenSSL within their services. Marquess believes that entities which "take [OpenSSL] for granted" should be the ones that contribute funds to make the platform more secure, and the project needs at least six full-time employees rather than just one, considering the widespread use of the system.