Beware of ‘Cupid,’ the new Heartbleed attack method that affects Android devices

cupid the new heartbleed attack method that affects android devices bug
Photo via Luis Grangeia's Slideshare page

If you think the Heartbleed Bug threat is over, think again. Less than two months since the security flaw was first exposed, exploiting it just got a lot easier.

According to Portuguese security researcher Luis Grangeia, the new attack method, which has been named Cupid, exploits a vulnerability in OpenSSL the same way as Heartbleed. The only difference is, it would perform its function over Wi-Fi instead of the Internet and targets Android devices.

(For more info, read our list of Android devices openly vulnerable to Heartbleed.)

“This is basically the same attack as Heartbleed, based on a malicious heartbeat packet. Like the original attack, which happens on regular TLS connections over TCP, both clients and servers can be exploited and memory can be read off processes on both ends of the connections,” Grangeia said in a blog post.

“The difference in this scenario is that the TLS [Transport Layer Security] connection is being made over EAP [Extensible Authentication Protocol], which is an authentication framework/ mechanism used in Wireless networks. It’s also used in other situations, including wired networks that use 802.1x Network Authentication and peer to peer connections … To exploit vulnerable clients, hostapd (with the cupid path) can be used to setup an “evil” network such that, when the vulnerable client tries to connect and requests a TLS connection, hosted will send malicious heartbeat requests, triggering the vulnerability.”

There are two programs affected by Cupid:

  • Hostapd is used for setting up a configurable access point on Linux.
  • Grangeia said that it is possible to create almost any kind of wireless network configuration and let clients connect to it. The other program, wpa_supplicant, is used for connecting to wireless networks on Linux and Android.

There are two attack scenarios for Cupid. The first one involves an “evil client” that uses an altered wpa_supplicant application for authenticating Wi-Fi communications. An attacker can request a connection to vulnerable server. Once a connection is made, hackers can send heartbeat requests. The second attack scenario involves using an altered hostapd application to access a vulnerable client. This allows attackers to set up a network for sending malicious heartbeat requests.

 According to Grangeia, devices running on Android 4.1.0 and and 4.1.1 are vulnerable. However, the risk is not limited to older software. Grangeia said that since all versions of Android use wpa_supplicant to connect to wireless networks, it is possible that all devices running on the OS may be vulnerable.

Aside from mobile devices, Linux systems and corporate wireless connections are also vulnerable. Home routers, on the other hand, are deemed safe because they do not use EAP.

Grangeia’s findings have inspired dissent from other developers, primarily from FreeRadius, which claims to be the “world’s most popular Radius server.” In response to comments that the Cupid vulnerability has been known early on, he said: “The attack method, however, is new. Up until now there were no publicly available tools that would trigger the Heartbleed vulnerability via EAP.”

Pierluigi Paganini, who works for the European Union Agency for Network and Information Security, explained that an attacker would not need a valid password to exploit the flaw. A username is enough to exploit the vulnerability. A full TLS connection (which allows clients and servers to communicate across a network securely) is also not required since heartbeat requests can be sent and received before keys and certificates are exchanged.

If you have a vulnerable device, we advise that you take steps to protect your information. Grangeia has created patches for vulnerable hostapd and wpa_supplicant applications, which can be found on his Github page.

Mobile

Yes, we really are getting a special McLaren edition of the OnePlus 6T

OnePlus has announced a partnership with McLaren F1, emphasizing a shared interest in speed. The phone company is known for producing special edition devices. Here's what we know about the OnePlus 6T Mclaren Edition.
Gaming

This list of PlayStation 4 exclusives puts its competitors to shame

The PlayStation 4's game library and incredible selection of exclusive games could make anyone with an Xbox One or Nintendo Switch think twice. Here's our list of the latest and greatest PS4 exclusives.
Deals

Simplify your life with one of these wireless smartphone charger deals

Banish nightly cable fumbling with a wireless smartphone charger. If your smartphone is compatible with wireless charging, the simplicity of placing it on a pad is a beautiful thing. Wireless chargers are also excellent gifts for coworkers.
Mobile

Microsoft Outlook for iOS gets big redesign, with Dark Mode coming soon

Microsoft has deployed a huge redesign for its Outlook for iOS app, which includes new blue branding and some quality-of-life improvements. Dark Mode isn't included, but it's coming soon.
Computing

Our favorite Windows apps will help you get the most out of your new PC

Not sure what apps you should be downloading for your newfangled Windows device? Here are the best Windows apps, whether you need something to speed up your machine or access your Netflix queue. Check out our categories and favorite picks.
Mobile

5G’s arrival is transforming tech. Here’s everything you need to know to keep up

It has been years in the making, but 5G is finally becoming a reality. While 5G coverage is still extremely limited, expect to see it expand in 2019. Not sure what 5G even is? Here's everything you need to know.
Mobile

Car-branded phones need to make a U-turn if they ever want to impress

Your car and your smartphone are becoming one, yet smartphones branded or co-created by car companies are a problem. We look at the history, some examples of the best and worst, then share hopes for the future.
Mobile

Vanquish lag for good with the best routers for gaming

Finding the best routers for gaming is no easy task. With so many out there, how do you know which to pick? We've looked at the many options available and put together a list of our lag-free favorites.
Mobile

Beddit Sleep Monitor 3.5 now available on the Apple Store

The Beddit Sleep Monitor 3.5 is now available on the Apple Store for $150. The sensor strip, which is only 2 millimeters thin, automatically tracks a wide array of sleep data when placed under the user's sheets.
Deals

Save up to $750 with the best smartphone deals for December 2018

Need a better phone but don't want to spend a fortune? It's never a bad time to score a new smartphone and save some cash. We rounded up the best smartphone deals available that can save you as much as $750.
Emerging Tech

Awesome Tech You Can’t Buy Yet: Folding canoes and ultra-fast water filters

Check out our roundup of the best new crowdfunding projects and product announcements that hit the web this week. You may not be able to buy this stuff yet, but it sure is fun to gawk!
Mobile

Google to end support for Android devices running Ice Cream Sandwich

Anyone with an old phone that is still running Android 4.0 may want to look into upgrading their phone, as Google has announced that it will be ending support for this older version of Android.
Mobile

Amazon knocks $30 off its Paperwhite ebook reader in limited-time deal

Amazon is running a couple of limited-time deals for its Paperwhite ebook reader. One offers a $30 discount, while the other throws in a pair of headphones and a free, extended Audible trial.
Mobile

New Galaxy S10 leaks showcase display sizes, confirm headphone jack return

While we still may be months away from an announcement, there's no doubt about it: Samsung is working hard on its successor to the Galaxy S9. Here's everything we know about the upcoming Samsung Galaxy S10.