Printed from http://www.electronista.com

Heartbleed vulnerabilities expand to Wi-Fi networks with Cupid

updated 08:07 pm EDT, Thu May 29, 2014

Devices connected to Cupid compromised routers open to data collection

As if the original Heartbleed exploit wasn't enough, new ways for the bug to spread have been discovered in Android and Wi-Fi devices. Information from a security researcher has shown evidence of a new style of attack called Cupid, which preys on the same types of vulnerabilities that put a large percentage of Internet websites at risk.

According to an article from The Verge on Luis Grangeia's presentation, targets for Cupid aren't limited to web applications, but extends to Wi-Fi networks and connected devices. The vulnerability extends to authentications over 802.1X wired protocols as well. Reach of the attack is not so far known, but Cupid looks to exploit the enterprise level routers through the Heartbleed bug.

The new "wpa_supplicant-cupid" attack targets EAP routers that use a TLS tunnel as part of the authentication process. The Heartbleed effect can take place in several situations involved in the TLS handshake, including the time before it occurs when the data is unencrypted. The connection then allows a malicious party to skim data from memory from the devices connected to the router. Routers can either be compromised through Cupid by attackers, or they could setup infected routers as fake Wi-Fi access points.

"This particular variant of the attack might be slower to close," says Grangeia says. "But it should not be nearly as widespread as the original bug, since the universe of vulnerable devices is lower."

Damage may be more localized rather than a full web situation that was recently since, since it works within the range of Wi-Fi. However, multiple kinds of devices may be open to vulnerability if they use OpenSSL for steps for the EPS TLS process. This includes Android devices still running Jelly Bean 4.1.1 known to be vulnerable to Heartbleed.

Grangeia has created a patch for the Cupid exploit, but has yet to distribute it openly.



By Electronista Staff
Post tools:

TAGS :

toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Crucial MX100 256GB SATA-3 SSD

While the price-per-gigabyte ratio for magnetic platter-based hard drives can't be beat, the speed that a SSD brings to the table for ...

Narrative Clip

With the advent of social media technology, people have been searching for new ways to share the events of their daily lives -- be it ...

Blue's Mikey Digital

Blue Microphones, a company that makes some of the most popular digital USB microphones among podcasters and musicians, has for some t ...

Sponsor

toggle

Most Commented

 
toggle

Popular News