Skip to main content

Heartbleed turns Cupid to launch Wi-Fi based attack against Android devices

Android devices are the latest to become vulnerable to a Heartbleed-based attack that uses Wi-Fi routers to pilfer various pieces of data.

Related: An in-depth look at whether your networking hardware is affected by Heartbleed

The new vulnerability, which has been dubbed Cupid, carries out the same Heartbleed protocol as the original attack, however, it uses a Wi-Fi network as opposed to the open web.

Portuguese security researcher Luis Grangeia identified the form of Heartbleed via a presentation, which was first reported by The Verge, and explained that the main plan of action involves using enterprise routers or malicious routers to pilfer data.

Both instances allow the attacker to view minute pieces of a device’s working memory inside the chosen device and it opens up a plethora of information including user credentials, client certificates, or private keys.

EAP-based routers that require an individual login and password, which are usually found in wireless LANs, are the most vulnerable targets and attackers are able to exploit this by stealing a private key from the router or authentication server and surpassing any security measures in place.

Android devices running the 4.1.1 variant of Jelly Bean are particularly vulnerable to the bug and that will be bad news for the millions of devices that are still running the version, including a number of HTC One variations. To attack Android devices, a hacker offers an open Wi-Fi signal to a handset and uses a Heartbleed attack to pull data from any devices that are connected, and anyone that hasn’t upgraded from 4.1.1 is urged to do so immediately.

It must be said that Cupid is nowhere near as widespread as the original variant due to the fact that a much lower sample of devices is vulnerable to attack, as they must be within Wi-Fi range in order to be within the scope of the attacker.

"This particular variant of the attack might be slower to close," Grangeia says, "But it should not be nearly as widespread as the original bug, since the universe of vulnerable devices is lower."

Related: How bad habits are still compromising passwords post-Heartbleed

Heartbleed, which was first laid bare back in April, has affected all corners of the Internet and many security researchers are still warning that the threat is far from over. Errata Security founder Robert David Graham went as far as to tell the Verge that only half of the mess left by Heartbleed has so far been cleaned up and added “we’ll be seeing important Heartbleed hacks for years.”