AAPL Stock: 117.81 ( -0.22 )

Printed from

Heartbleed vulnerabilities expand to Wi-Fi networks with Cupid

updated 08:07 pm EDT, Thu May 29, 2014

Devices connected to Cupid compromised routers open to data collection

As if the original Heartbleed exploit wasn't enough, new ways for the bug to spread have been discovered in Android and Wi-Fi devices. Information from a security researcher has shown evidence of a new style of attack called Cupid, which preys on the same types of vulnerabilities that put a large percentage of Internet websites at risk.

According to an article from The Verge on Luis Grangeia's presentation, targets for Cupid aren't limited to web applications, but extends to Wi-Fi networks and connected devices. The vulnerability extends to authentications over 802.1X wired protocols as well. Reach of the attack is not so far known, but Cupid looks to exploit the enterprise level routers through the Heartbleed bug.

The new "wpa_supplicant-cupid" attack targets EAP routers that use a TLS tunnel as part of the authentication process. The Heartbleed effect can take place in several situations involved in the TLS handshake, including the time before it occurs when the data is unencrypted. The connection then allows a malicious party to skim data from memory from the devices connected to the router. Routers can either be compromised through Cupid by attackers, or they could setup infected routers as fake Wi-Fi access points.

"This particular variant of the attack might be slower to close," says Grangeia says. "But it should not be nearly as widespread as the original bug, since the universe of vulnerable devices is lower."

Damage may be more localized rather than a full web situation that was recently since, since it works within the range of Wi-Fi. However, multiple kinds of devices may be open to vulnerability if they use OpenSSL for steps for the EPS TLS process. This includes Android devices still running Jelly Bean 4.1.1 known to be vulnerable to Heartbleed.

Grangeia has created a patch for the Cupid exploit, but has yet to distribute it openly.

by MacNN Staff



Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented