Heartbleed-like Cupid poses opportunity for wireless attack

Jun 03, 2014 by Nancy Owano weblog

The Cupid now being talked about in technology circles is hardly the sweet angel that aims a love arrow at innocents' hearts. This Cupid represents an attack vector threatening information security. Thanks to a Portuguese researcher, security watchers have been made more aware of yet another variation of the Heartbleed headache. This vulnerability, based on the same Heartbleed exploit, was discussed last month in detail by Luis Grangeia of information security company, Sysvalue. The researcher showed how the Cupid attack vector can do its mischief on wireless networks and connected devices.

According to Grangeia, a presentation that he gave at a local event focused on an "attack vector for the Heartbleed bug, specifically on networks using EAP TLS tunneled authentication methods." (EAP stands for Extensible Authentication Protocol and-TLS, for Transport Layer Security.) He said, "I wrote a patch for hostapd and wpa_supplicant to provide a proof of concept of the attack."

Michael Mimoso, editor, Threatpost, the Kaspersky Lab news service, explained that Grangeia built patches that modify the hostapd and wpa-supplicant, two programs acting as wireless access and authentication management points. Hostapd sets up a configurable access point; it's supported on Linux. Mimoso said that hackers could create a wireless network configuration of their choosing that would allow vulnerable clients to connect to it. Wpa_supplicant, supported on Linux and Android, is used to connect to wireless networks.

Dan Goodin, security editor at Ars Technica, noted that Cupid streamlines the process of exploiting devices connecting over wireless networks secured using the EAP, used by many large organizations to password-protect access.

Grangeia, meanwhile, talked about the process by which such an attack can occur. "This is basically the same attack as Heartbleed, based on a malicious heartbeat packet. Like the original attack which happens on regular TLS connections over TCP, both clients and servers can be exploited and memory can be read off processes on both ends of the connection. The difference in this scenario is that the TLS connection is being made over EAP, which is an authentication framework/mechanism used in wireless networks. It's also used in other situations, including wired networks that use 802.1x Network Authentication and peer to peer connections."

What software is affected? He noted, "I've done very limited testing on this. I have confirmed however that on Ubuntu, if you are using a vulnerable version of OpenSSL the default installations of wpa_supplicant, hostapd, and freeradius can be exploited. Android 4.1.0 and 4.1.1 use a vulnerable version OpenSSL. Also, all versions of Android use wpa_supplicant to connect to wireless networks, so I have to assume that these are probably vulnerable."

As for clients, he said that anyone with an Android device running 4.1.0 or 4.1.1 should avoid connecting to unknown wireless networks unless they upgrade their ROM. People using a Linux-system device to connect to should make sure to upgrade their OpenSSL libraries, and, he added, "if you followed Heartbleed mitigation recommendations you should be fine."

Another reassuring comment is that those with home routers are probably safe from this attack vector, as most home routers use a single key for wireless security, not EAP authentication mechanisms. However, he said that "If you have a corporate wireless solution on your company you should look at this problem, since most of the managed wireless solutions use EAP based authentication mechanisms. And some companies use OpenSSL. You should look at having your equipment tested or contacting your vendor and ask for more information. You should also look at this issue if you have any type of EAP mechanism on your corporate network. Note that 802.1x Network Access Controlled wired networks might also suffer from this problem."

More broadly, wrote Russell Brandom in The Verge, "it's a reminder that the security world is still working through the various effects of Heartbleed. Even after the central servers have been patched, researchers can discover more obscure attacks that go after less obvious targets."

Explore further: WPA2 wireless security cracked

More information: www.sysvalue.com/en/heartbleed-cupid-wireless/

add to favorites email to friend print save as pdf

Related Stories

WPA2 wireless security cracked

Mar 20, 2014

There are various ways to protect a wireless network. Some are generally considered to be more secure than others. Some, such as WEP (Wired Equivalent Privacy), were broken several years ago and are not recommended ...

Heartbleed bug find triggers OpenSSL security advisory

Apr 08, 2014

A flaw called Heartbleed in OpenSSL, which is a software library used for the protection and security of millions of websites, was uncovered by Neel Mehta of Google Security, who first reported it to the ...

What you need to know about the Heartbleed bug

Apr 09, 2014

Millions of passwords, credit card numbers and other personal information may be at risk as a result of a major breakdown in Internet security revealed earlier this week.

Heartbleed could harm a variety of systems

Apr 11, 2014

It now appears that the "Heartbleed" security problem affects not just websites, but also the networking equipment that connects homes and businesses to the Internet.

Recommended for you

Share button may share your browsing history, too

Jul 22, 2014

One in 18 of the world's top 100,000 websites track users without their consent using a previously undetected cookie-like tracking mechanism embedded in 'share' buttons. A new study by researchers at KU Leuven ...

Tokyo police make arrest in massive data leak case

Jul 17, 2014

Tokyo police said Thursday they had arrested an engineer for allegedly stealing massive amounts of personal data from an educational services firm, a leak that may ultimately affect more than 20 million people.

User comments : 0