updated 08:07 pm EDT, Thu May 29, 2014
Devices connected to Cupid compromised routers open to data collection
As if the original Heartbleed exploit wasn't enough, new ways for the bug to spread have been discovered in Android and Wi-Fi devices. Information from a security researcher has shown evidence of a new style of attack called Cupid, which preys on the same types of vulnerabilities that put a large percentage of Internet websites at risk.
According to an article from The Verge on Luis Grangeia's presentation, targets for Cupid aren't limited to web applications, but extends to Wi-Fi networks and connected devices. The vulnerability extends to authentications over 802.1X wired protocols as well. Reach of the attack is not so far known, but Cupid looks to exploit the enterprise level routers through the Heartbleed bug.
The new "wpa_supplicant-cupid" attack targets EAP routers that use a TLS tunnel as part of the authentication process. The Heartbleed effect can take place in several situations involved in the TLS handshake, including the time before it occurs when the data is unencrypted. The connection then allows a malicious party to skim data from memory from the devices connected to the router. Routers can either be compromised through Cupid by attackers, or they could setup infected routers as fake Wi-Fi access points.
"This particular variant of the attack might be slower to close," says Grangeia says. "But it should not be nearly as widespread as the original bug, since the universe of vulnerable devices is lower."
Damage may be more localized rather than a full web situation that was recently since, since it works within the range of Wi-Fi. However, multiple kinds of devices may be open to vulnerability if they use OpenSSL for steps for the EPS TLS process. This includes Android devices still running Jelly Bean 4.1.1 known to be vulnerable to Heartbleed.
Grangeia has created a patch for the Cupid exploit, but has yet to distribute it openly.