Skip to main content

Beware of ‘Cupid,’ the new Heartbleed attack method that affects Android devices

cupid the new heartbleed attack method that affects android devices bug
Photo via Luis Grangeia's Slideshare page Image used with permission by copyright holder

If you think the Heartbleed Bug threat is over, think again. Less than two months since the security flaw was first exposed, exploiting it just got a lot easier.

According to Portuguese security researcher Luis Grangeia, the new attack method, which has been named Cupid, exploits a vulnerability in OpenSSL the same way as Heartbleed. The only difference is, it would perform its function over Wi-Fi instead of the Internet and targets Android devices.

(For more info, read our list of Android devices openly vulnerable to Heartbleed.)

“This is basically the same attack as Heartbleed, based on a malicious heartbeat packet. Like the original attack, which happens on regular TLS connections over TCP, both clients and servers can be exploited and memory can be read off processes on both ends of the connections,” Grangeia said in a blog post.

“The difference in this scenario is that the TLS [Transport Layer Security] connection is being made over EAP [Extensible Authentication Protocol], which is an authentication framework/ mechanism used in Wireless networks. It’s also used in other situations, including wired networks that use 802.1x Network Authentication and peer to peer connections … To exploit vulnerable clients, hostapd (with the cupid path) can be used to setup an “evil” network such that, when the vulnerable client tries to connect and requests a TLS connection, hosted will send malicious heartbeat requests, triggering the vulnerability.”

There are two programs affected by Cupid:

  • Hostapd is used for setting up a configurable access point on Linux.
  • Grangeia said that it is possible to create almost any kind of wireless network configuration and let clients connect to it. The other program, wpa_supplicant, is used for connecting to wireless networks on Linux and Android.

There are two attack scenarios for Cupid. The first one involves an “evil client” that uses an altered wpa_supplicant application for authenticating Wi-Fi communications. An attacker can request a connection to vulnerable server. Once a connection is made, hackers can send heartbeat requests. The second attack scenario involves using an altered hostapd application to access a vulnerable client. This allows attackers to set up a network for sending malicious heartbeat requests.

 According to Grangeia, devices running on Android 4.1.0 and and 4.1.1 are vulnerable. However, the risk is not limited to older software. Grangeia said that since all versions of Android use wpa_supplicant to connect to wireless networks, it is possible that all devices running on the OS may be vulnerable.

Aside from mobile devices, Linux systems and corporate wireless connections are also vulnerable. Home routers, on the other hand, are deemed safe because they do not use EAP.

Grangeia’s findings have inspired dissent from other developers, primarily from FreeRadius, which claims to be the “world’s most popular Radius server.” In response to comments that the Cupid vulnerability has been known early on, he said: “The attack method, however, is new. Up until now there were no publicly available tools that would trigger the Heartbleed vulnerability via EAP.”

Pierluigi Paganini, who works for the European Union Agency for Network and Information Security, explained that an attacker would not need a valid password to exploit the flaw. A username is enough to exploit the vulnerability. A full TLS connection (which allows clients and servers to communicate across a network securely) is also not required since heartbeat requests can be sent and received before keys and certificates are exchanged.

If you have a vulnerable device, we advise that you take steps to protect your information. Grangeia has created patches for vulnerable hostapd and wpa_supplicant applications, which can be found on his Github page.

Editors' Recommendations

Christian Brazil Bautista
Christian Brazil Bautista is an experienced journalist who has been writing about technology and music for the past decade…
Honor’s new Android phone has a feature we’ve never seen before
Promotional photo showing the Honor 90 phone in different colors.

Honor isn’t happy with Samsung taking all the mid-range smartphone glory with the excellent Galaxy A54. As such, it has launched the Honor 90 to see if it can tempt you away from Samsung's colorful and capable device. The Honor 90 matches the Galaxy A54’s price, but what about its specifications?

Honor has highlighted the screen technology as a reason to buy, and it certainly has something we haven't seen before. It’s a 6.7-inch, 2664 x 1200 pixel resolution OLED with a quad-curve shape, meaning it flows down into the chassis for comfort and style. The panel uses 3840Hz Pulse Width Modulation (PWM) dimming to minimize flicker at low brightness, and it's the first time we've seen this level of PWM dimming on any smartphone. Other phones have 1920Hz or 2160Hz PWM dimming (such as the Realme 11 Pro+) at the most. The technology should also help reduce eye fatigue when using the screen for a long time. The screen has a 120Hz refresh rate, HDR10+ certification, and a peak brightness of 1,600 nits.

Read more
This new Android tablet has an e-ink screen that destroys the Kindle
Tab C Ultra by Onyx

Onyx is one of the few brands that seem bullish about the potential of e-ink screens, and it makes fairly impressive products while at it. I recently got my hands on the Onyx Boox Tab Ultra with a monochrome e-ink display and was pleasantly surprised by its unique appeal. Now, the company is taking a big leap with a new variant that replaces the black and white screen with a full-color e-ink panel on its latest tablet — something the Kindle has never been able to achieve.

Say hello to the Onyx Boox Tab Ultra C, an Android tablet that stands out with its 10.3-inch color e-ink screen. This one boosts the resolution to 2480 x 1860 pixels, offering a higher pixel density compared to its monochrome sibling. Onyx has deployed what it calls a Kaleido3 screen on its latest tablet, which promises “soothing and soft tones.” The electronic ink panel looks and feels more like a newspaper than a glossy screen and also happens to be easier on the eyes without minimal risks of visual fatigue.

Read more
The first Android 14 beta just landed — here’s everything that’s new
Screenshots of Android 14, showing the new back gesture button and share pop-up.

The first open beta of Android 14 has been released by Google for compatible Pixel smartphones. This is a public beta and not a develop-centric build, which means you can install it on your phone without any technical hassles. All you need to do is have a compatible Pixel device, register for the Android 14 beta testing program, and you will get the update via the OTA channel like a regular software update on your phone.

Now, Android 14’s first public beta is a tad light on user-facing features in its current avatar, but more tricks might be added down the road. One of the most notable tweaks is that the back arrow identifier, which appears on the screen when you swipe left or right in order to go back to the previous page, is now more prominent. Google says the larger arrow helps “improve back gesture understanding and usefulness” and that it will play well with the Material You theming system.

Read more