Skip to main content

Beware of ‘Cupid,’ the new Heartbleed attack method that affects Android devices

If you think the Heartbleed Bug threat is over, think again. Less than two months since the security flaw was first exposed, exploiting it just got a lot easier.

According to Portuguese security researcher Luis Grangeia, the new attack method, which has been named Cupid, exploits a vulnerability in OpenSSL the same way as Heartbleed. The only difference is, it would perform its function over Wi-Fi instead of the Internet and targets Android devices.

Recommended Videos

(For more info, read our list of Android devices openly vulnerable to Heartbleed.)

“This is basically the same attack as Heartbleed, based on a malicious heartbeat packet. Like the original attack, which happens on regular TLS connections over TCP, both clients and servers can be exploited and memory can be read off processes on both ends of the connections,” Grangeia said in a blog post.

“The difference in this scenario is that the TLS [Transport Layer Security] connection is being made over EAP [Extensible Authentication Protocol], which is an authentication framework/ mechanism used in Wireless networks. It’s also used in other situations, including wired networks that use 802.1x Network Authentication and peer to peer connections … To exploit vulnerable clients, hostapd (with the cupid path) can be used to setup an “evil” network such that, when the vulnerable client tries to connect and requests a TLS connection, hosted will send malicious heartbeat requests, triggering the vulnerability.”

There are two programs affected by Cupid:

  • Hostapd is used for setting up a configurable access point on Linux.
  • Grangeia said that it is possible to create almost any kind of wireless network configuration and let clients connect to it. The other program, wpa_supplicant, is used for connecting to wireless networks on Linux and Android.

There are two attack scenarios for Cupid. The first one involves an “evil client” that uses an altered wpa_supplicant application for authenticating Wi-Fi communications. An attacker can request a connection to vulnerable server. Once a connection is made, hackers can send heartbeat requests. The second attack scenario involves using an altered hostapd application to access a vulnerable client. This allows attackers to set up a network for sending malicious heartbeat requests.

 According to Grangeia, devices running on Android 4.1.0 and and 4.1.1 are vulnerable. However, the risk is not limited to older software. Grangeia said that since all versions of Android use wpa_supplicant to connect to wireless networks, it is possible that all devices running on the OS may be vulnerable.

Aside from mobile devices, Linux systems and corporate wireless connections are also vulnerable. Home routers, on the other hand, are deemed safe because they do not use EAP.

Grangeia’s findings have inspired dissent from other developers, primarily from FreeRadius, which claims to be the “world’s most popular Radius server.” In response to comments that the Cupid vulnerability has been known early on, he said: “The attack method, however, is new. Up until now there were no publicly available tools that would trigger the Heartbleed vulnerability via EAP.”

Pierluigi Paganini, who works for the European Union Agency for Network and Information Security, explained that an attacker would not need a valid password to exploit the flaw. A username is enough to exploit the vulnerability. A full TLS connection (which allows clients and servers to communicate across a network securely) is also not required since heartbeat requests can be sent and received before keys and certificates are exchanged.

If you have a vulnerable device, we advise that you take steps to protect your information. Grangeia has created patches for vulnerable hostapd and wpa_supplicant applications, which can be found on his Github page.

Christian Brazil Bautista
Former Digital Trends Contributor
Christian Brazil Bautista is an experienced journalist who has been writing about technology and music for the past decade…
How to use Android 16’s new Notification Cooldown setting
Someone holding a phone showing the Android 16 logo on its screen.

Managing notifications is no easy task, especially when one tries to maintain the delicate balance between a no-interruption work mindset and the fear of missing out on important alerts. This not only applies to personal communication, but workplace interactions as well. A barrage of notifications can be overwhelming, especially if there are active group chats or users are working across multiple professional circles.

Read more
Android 16 adds a new way to use the Google Pixel 9’s fingerprint sensor
Pixel 9 Pro in Rose Quartz.

Biometric security — the ability to unlock your phone with your fingerprint or face — is an amazing feature, but you often have to turn on the phone's screen before you can use it. That's because many fingerprint sensors are optical and need light in order to work. Fortunately, Android 16 will make it so that you can open your Pixel 9 without turning your phone screen on at all (while also avoiding the groan that comes from searing your eyes.)

The feature was noted in the Android 16 Developer Preview 2, or DP2, by 9to5Google. The findings imply that this only applies to the Google Pixel 9 series because while it does appear in the Settings search on the Pixel 8 Pro, there's no option to enable it. This is likely due to the Pixel 9's ultrasonic fingerprint scanner; the improved hardware doesn't require light to use it.

Read more
Nothing’s Android 15 update is now rolling out with these new features
Lock Screen of Nothing OS 3.

After weeks of beta testing, Nothing is the latest name to join the stable Android 15 rollout bandwagon. In a community update today, the company announced the wide release of Nothing OS 3.0 based on Android 15 for its relatively slim smartphone portfolio.

The first devices to get the update are the Nothing Phone 2 and Nothing Phone 2a, both of which are slated to get the over-the-air (OTA) update in a phased format throughout December. Next in line are the Nothing Phone 1, Nothing Phone 2a Plus, and CMF Phone 1, which are scheduled to receive the OS upgrade early next year.

Read more