Remember Heartbleed? Well, it's just not going away as the vulnerability is now able to use Wi-Fi to get at your routers and mobile phones. This new form called 'Cupid' will do what Heartbleed did on the open web but via Wi-Fi. Portugese security researcher Luis Grangela's report detailed the new iteration of the bug, which pulls data from enterprise routers or uses a compromised router to pull data from Android devices when they connect.
Heartbleed exposed working memory snippets from online servers, but Cupid looks at snippets from targetted devices, which could reveal sensitive information like user credentials, client certificates or private keys.
What devices are particularly vulnerable? Android devices on version 4.1.1 of Jelly Bean. The message here is to update your device as soon as possible.
Be careful what apps are on your phone
It is unlikely this bug will proliferate as much as Heartbleed but it seems most vulnerable are EAP-based routers requiring both a login and a password, something often found in wireless LANs. Heartbleed could be used to pull a private key from routers or authentication servers, thus bypassing any security protocols.
Because the attacks can only target devices within Wi-Fi range, then it narrows the potential targets to a very small range.
Millions of devices, though, are still running 4.1.1 which means many smartphones out there are vulnerable to Cupid. Since some phones are reliant on carriers or manufacturers to update them, this leaves potentially millions of phones vulnerable for years.
Though servers have been patched after Heartbleed, security experts are sitll looking at a broad range of potential targets including services like OpenSSL and TLS. There is still concern that there are still access points to servers that have not gotten patched against Heartbleed.
So looks like we have not seen the Heartbleed yet as besides Cupid, there is still potential for the bug to have other repercussions we have as yet to uncover. In the meantime, maybe it's a good idea to be careful what WiFi you connect to.
[Source: The Verge]