Heartbleed hasn’t been fixed yet, not by a long shot. The bug put the entire web world on high alert last month after researchers found that it exposes user data, private keys and client certificates to attackers. Some of the world’s most popular websites, email clients and applications rely on OpenSSL to keep data secure. In April, researchers found that an undetected flaw in OpenSSL code, called Heartbleed, has left encrypted data vulnerable to theft.
Cupid performs the same Heartbleed procedure over WiFi
A new report from Luis Grangeia, security service manager at IT security firm SysValue, claims that the bug is still causing problems. Grangeia found that the same flaw could be used over WiFi to carry out new kinds of attacks. Dubbed Cupid, the attack has the same Heartbleed procedure, but over WiFi rather than the web. The new line of attack lets attackers capture data transmitted between WiFi routers and Android devices. Yesterday, Grangeia published proof of the concept.
It’s unclear how many devices are vulnerable to the new line of attack. But the damage will be much less severe than the Heartbleed. According to The Verge, EAP-based routers that require user login and password are the most vulnerable targets. An attacker can use Heartbleed to steal your password from the router or authentication server, bypassing the security measures.
Heartbleed: even iOS and Mac OSX could be at risk
Grangeia said devices running on Android 4.1.1 Jelly Bean are also vulnerable to the bug. Millions of devices are still running on the 4.1.1 version. He warned that Mac OSX and iOS could also be at risk from Cupid, and urged administrators to test everything. The latest finding underlines that the security world is still working through the effects of Heartbleed.
To prevent a future Heartbleed-like attack, technology companies have come together to form the Core Infrastructure Initiative (CII). Each of the 12 companies has pledged to donate at least $100,000 per year to the OpenSSL Foundation. OpenSSL, which previously had just one developer, will now have two full-time developers and a security audit.