Printed from http://www.electronista.com

Heartbleed vulnerabilities expand to Wi-Fi networks with Cupid

updated 08:07 pm EDT, Thu May 29, 2014

Devices connected to Cupid compromised routers open to data collection

As if the original Heartbleed exploit wasn't enough, new ways for the bug to spread have been discovered in Android and Wi-Fi devices. Information from a security researcher has shown evidence of a new style of attack called Cupid, which preys on the same types of vulnerabilities that put a large percentage of Internet websites at risk.

According to an article from The Verge on Luis Grangeia's presentation, targets for Cupid aren't limited to web applications, but extends to Wi-Fi networks and connected devices. The vulnerability extends to authentications over 802.1X wired protocols as well. Reach of the attack is not so far known, but Cupid looks to exploit the enterprise level routers through the Heartbleed bug.

The new "wpa_supplicant-cupid" attack targets EAP routers that use a TLS tunnel as part of the authentication process. The Heartbleed effect can take place in several situations involved in the TLS handshake, including the time before it occurs when the data is unencrypted. The connection then allows a malicious party to skim data from memory from the devices connected to the router. Routers can either be compromised through Cupid by attackers, or they could setup infected routers as fake Wi-Fi access points.

"This particular variant of the attack might be slower to close," says Grangeia says. "But it should not be nearly as widespread as the original bug, since the universe of vulnerable devices is lower."

Damage may be more localized rather than a full web situation that was recently since, since it works within the range of Wi-Fi. However, multiple kinds of devices may be open to vulnerability if they use OpenSSL for steps for the EPS TLS process. This includes Android devices still running Jelly Bean 4.1.1 known to be vulnerable to Heartbleed.

Grangeia has created a patch for the Cupid exploit, but has yet to distribute it openly.



By Electronista Staff
Post tools:

TAGS :

toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Razer Kraken Pro headset

Gaming headphones are a challenge to get right, for a long list of reasons that are unique to the consumer buying them. Some shoppers ...

Patriot Aero Wireless Mobile Drive

Regardless of how large a tablet you buy, you always want more space. There's always one more movie or another album you'd cram on, if ...

Patriot Fuel+ 6000 and 9000mAh batteries

Mobile device batteries are better than they used to be, but there's always a scenario where users could use more juice. Upgrade manuf ...

Sponsor

toggle

Most Commented

 
toggle

Popular News