New Heartbleed malware attack hits Android devices over Wi-Fi
Heartbleed bug attacks Android devices running v 4.1.1 via WiFi routers.
A report from Portuguese security researcher Luis Grangeia says that the heartbleed bug can be used over Wi-Fi to enable new kinds of attacks.
The new line of attack has been dubbed Cupid and performs the Heartbleed procedure over Wi-Fi instead of the web, either by pulling data from enterprise routers or using a malicious router to pull data from Android devices as they connect. The attacker is able to view snippets of the working memory from the targeted device, exposing user credentials, client certificates, or private keys. Grangeia has also published a proof of concept for the bug and has urged vendors and administrators to upgrade their devices.
Grangeia says that EAP-based routers are most vulnerable to the attack and require both an individual login and a password found commonly in wireless LANs. The cyber attacker could use Heartbleed to pull a private key from the router or authentication server, evading any security measures. He added that the attack could only target devices using WiFi, limiting the potential threats. The Heartbleed virus attacks Android devices running Android Jelly Bean v4.1.1.
“This particular variant of the attack might be slower to close,” Grangeia says, “But it should not be nearly as widespread as the original bug, since the universe of vulnerable devices is lower.”
Services like OpenSSL and TLS are vulnerable to the cupid virus. “The web and email are the biggest users of [TLS], but by no means the only ones” says Columbia professor Steve Bellovin, “Any unpatched implementations are at risk from Heartbleed.” He added that most modern systems have updated to a Heartbleed-proof version of OpenSSL but there is still some access points that remain unpatched.
Errata Security founder Robert David Graham told The Verge that only half of the damage caused by the virus has been cleaned up, suggesting Cupid may be the least of the communities troubles. “We’ll be seeing important Heartbleed hacks for years,” he added.
Source: The Verge