If you think the Heartbleed Bug threat is over, think again. Less than two months since the security flaw was first exposed, exploiting it just got a lot easier.
According to Portuguese security researcher Luis Grangeia, the new attack method, which has been named Cupid, exploits a vulnerability in OpenSSL the same way as Heartbleed. The only difference is, it would perform its function over Wi-Fi instead of the Internet and targets Android devices.
(For more info, read our list of Android devices openly vulnerable to Heartbleed.)
“This is basically the same attack as Heartbleed, based on a malicious heartbeat packet. Like the original attack, which happens on regular TLS connections over TCP, both clients and servers can be exploited and memory can be read off processes on both ends of the connections,” Grangeia said in a blog post.
“The difference in this scenario is that the TLS [Transport Layer Security] connection is being made over EAP [Extensible Authentication Protocol], which is an authentication framework/ mechanism used in Wireless networks. It’s also used in other situations, including wired networks that use 802.1x Network Authentication and peer to peer connections … To exploit vulnerable clients, hostapd (with the cupid path) can be used to setup an “evil” network such that, when the vulnerable client tries to connect and requests a TLS connection, hosted will send malicious heartbeat requests, triggering the vulnerability.”
There are two programs affected by Cupid:
- Hostapd is used for setting up a configurable access point on Linux.
- Grangeia said that it is possible to create almost any kind of wireless network configuration and let clients connect to it. The other program, wpa_supplicant, is used for connecting to wireless networks on Linux and Android.
There are two attack scenarios for Cupid. The first one involves an “evil client” that uses an altered wpa_supplicant application for authenticating Wi-Fi communications. An attacker can request a connection to vulnerable server. Once a connection is made, hackers can send heartbeat requests. The second attack scenario involves using an altered hostapd application to access a vulnerable client. This allows attackers to set up a network for sending malicious heartbeat requests.
According to Grangeia, devices running on Android 4.1.0 and and 4.1.1 are vulnerable. However, the risk is not limited to older software. Grangeia said that since all versions of Android use wpa_supplicant to connect to wireless networks, it is possible that all devices running on the OS may be vulnerable.
Aside from mobile devices, Linux systems and corporate wireless connections are also vulnerable. Home routers, on the other hand, are deemed safe because they do not use EAP.
Grangeia’s findings have inspired dissent from other developers, primarily from FreeRadius, which claims to be the “world’s most popular Radius server.” In response to comments that the Cupid vulnerability has been known early on, he said: “The attack method, however, is new. Up until now there were no publicly available tools that would trigger the Heartbleed vulnerability via EAP.”
Pierluigi Paganini, who works for the European Union Agency for Network and Information Security, explained that an attacker would not need a valid password to exploit the flaw. A username is enough to exploit the vulnerability. A full TLS connection (which allows clients and servers to communicate across a network securely) is also not required since heartbeat requests can be sent and received before keys and certificates are exchanged.
If you have a vulnerable device, we advise that you take steps to protect your information. Grangeia has created patches for vulnerable hostapd and wpa_supplicant applications, which can be found on his Github page.
