Heartbleed-like Cupid poses opportunity for wireless attack

June 3, 2014 by Nancy Owano weblog

The Cupid now being talked about in technology circles is hardly the sweet angel that aims a love arrow at innocents' hearts. This Cupid represents an attack vector threatening information security. Thanks to a Portuguese researcher, security watchers have been made more aware of yet another variation of the Heartbleed headache. This vulnerability, based on the same Heartbleed exploit, was discussed last month in detail by Luis Grangeia of information security company, Sysvalue. The researcher showed how the Cupid attack vector can do its mischief on wireless networks and connected devices.

According to Grangeia, a presentation that he gave at a local event focused on an "attack vector for the Heartbleed bug, specifically on networks using EAP TLS tunneled authentication methods." (EAP stands for Extensible Authentication Protocol and-TLS, for Transport Layer Security.) He said, "I wrote a patch for hostapd and wpa_supplicant to provide a proof of concept of the attack."

Michael Mimoso, editor, Threatpost, the Kaspersky Lab news service, explained that Grangeia built patches that modify the hostapd and wpa-supplicant, two programs acting as wireless access and authentication management points. Hostapd sets up a configurable access point; it's supported on Linux. Mimoso said that hackers could create a wireless network configuration of their choosing that would allow vulnerable clients to connect to it. Wpa_supplicant, supported on Linux and Android, is used to connect to wireless networks.

Dan Goodin, security editor at Ars Technica, noted that Cupid streamlines the process of exploiting devices connecting over wireless networks secured using the EAP, used by many large organizations to password-protect access.

Grangeia, meanwhile, talked about the process by which such an attack can occur. "This is basically the same attack as Heartbleed, based on a malicious heartbeat packet. Like the original attack which happens on regular TLS connections over TCP, both clients and servers can be exploited and memory can be read off processes on both ends of the connection. The difference in this scenario is that the TLS connection is being made over EAP, which is an authentication framework/mechanism used in wireless networks. It's also used in other situations, including wired networks that use 802.1x Network Authentication and peer to peer connections."

What software is affected? He noted, "I've done very limited testing on this. I have confirmed however that on Ubuntu, if you are using a vulnerable version of OpenSSL the default installations of wpa_supplicant, hostapd, and freeradius can be exploited. Android 4.1.0 and 4.1.1 use a vulnerable version OpenSSL. Also, all versions of Android use wpa_supplicant to connect to wireless networks, so I have to assume that these are probably vulnerable."

As for clients, he said that anyone with an Android device running 4.1.0 or 4.1.1 should avoid connecting to unknown wireless networks unless they upgrade their ROM. People using a Linux-system device to connect to should make sure to upgrade their OpenSSL libraries, and, he added, "if you followed Heartbleed mitigation recommendations you should be fine."

Another reassuring comment is that those with home routers are probably safe from this attack vector, as most home routers use a single key for wireless security, not EAP authentication mechanisms. However, he said that "If you have a corporate wireless solution on your company you should look at this problem, since most of the managed wireless solutions use EAP based authentication mechanisms. And some companies use OpenSSL. You should look at having your equipment tested or contacting your vendor and ask for more information. You should also look at this issue if you have any type of EAP mechanism on your corporate network. Note that 802.1x Network Access Controlled wired networks might also suffer from this problem."

More broadly, wrote Russell Brandom in The Verge, "it's a reminder that the security world is still working through the various effects of Heartbleed. Even after the central servers have been patched, researchers can discover more obscure attacks that go after less obvious targets."

Explore further: WPA2 wireless security cracked

More information: www.sysvalue.com/en/heartbleed-cupid-wireless/

Related Stories

WPA2 wireless security cracked

March 20, 2014

There are various ways to protect a wireless network. Some are generally considered to be more secure than others. Some, such as WEP (Wired Equivalent Privacy), were broken several years ago and are not recommended as a way ...

Heartbleed bug find triggers OpenSSL security advisory

April 8, 2014

A flaw called Heartbleed in OpenSSL, which is a software library used for the protection and security of millions of websites, was uncovered by Neel Mehta of Google Security, who first reported it to the OpenSSL team, triggering ...

What you need to know about the Heartbleed bug

April 9, 2014

Millions of passwords, credit card numbers and other personal information may be at risk as a result of a major breakdown in Internet security revealed earlier this week.

Heartbleed could harm a variety of systems

April 11, 2014

It now appears that the "Heartbleed" security problem affects not just websites, but also the networking equipment that connects homes and businesses to the Internet.

Recommended for you

Internet giants race to faster mobile news apps

October 4, 2015

US tech giants are turning to the news in their competition for mobile users, developing new, faster ways to deliver content, but the benefits for struggling media outlets remain unclear.

Radio frequency 'harvesting' tech unveiled in UK

September 30, 2015

An energy harvesting technology that its developers say will be able to turn ambient radio frequency waves into usable electricity to charge low power devices was unveiled in London on Wednesday.

Professors say US has fallen behind on offshore wind power

September 29, 2015

University of Delaware faculty from the College of Earth, Ocean, and Environment (CEOE), the College of Engineering and the Alfred Lerner School of Business and Economics say that the U.S. has fallen behind in offshore wind ...


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.