How bad is the OpenSSL "Heartbleed" vulnerability for MDM?

Your rating: None (2 votes)

Yesterday a vulnerability came to light in OpenSSL, which underpins much of the security infrastructure on web servers and application servers around the Internet. Today the technology world is on fire about the bug. Basically, any server running OpenSSL versions 1.0.1 through 1.0.1f is at risk to a simple query. There is an online tool available to check your servers.

The bug, however, doesn't only affect SSL. OpenSSL is also commonly used for generating the asymmetric encryption keys that are the foundation of, oh, the Apple Push Notification Service. And APNS is the foundation for MDM.

If your MDM service happens to be vulnerable, or was vulnerable any time in the last two years the bug has been available, then it is possible someone has stolen your server's private APNS key. And if they do that then your MDM is compromised. But since the attack leaves no trace, well it may be better to err on the safe side.

The "safe side" for MDM means revoking your APNS certificate, and re-enrolling all devices. By hand. That is going to be a huge a bucket of pain.

So here is hoping your particular MDM service is not and was not vulnerable. I've heard from a few already, but will wait for official statements to become available before posting. Watch this thread for more as this develops.

Share your ideas

ChrisTx's picture


Joined: Nov 5, 2013

Heartbleed and MDM

Your rating: None

We are already inquiring about how this will affect our MDM Vendor and what steps we will need to take to help us protect our mobile devices.

Aaron Freimark's picture

Aaron Freimark

Joined: Nov 6, 2010


Your rating: None (1 vote)

I haven't yet seen any official word from the MDM vendors about Heartbleed. Have you?

Aaron Freimark, Enterprise iOS founder & GroundControl CEO

MaciekSA's picture


Joined: Apr 19, 2013

Here is an extract from MobileIron's email

Your rating: None

MobileIron Heartbleed


Recent Activity