Heartbleed bug could target Android phones and wireless routers
Heartbleed has a new wireless-based attack vector, according to security expert's findings
Android phones and wireless routers accessible via Wi-Fi might be at risk from attackers utilising a new form of the Heartbleed bug, it has been revealed.
The security world is still feeling the effects of Heartbleed seven weeks after its discovery lead to websites scrambling to protect their data.
Security expert Luis Grangeia, a partner and security services manager at SysValue, has apparently found a vector through which the bug can attack wireless devices and Android phones.
Dubbed "Cupid", the new attack line would perform the same procedure as the original Heartbleed bug except over wireless connections instead of the open web.
It's unclear how many devices may be vulnerable but the spread will probably be more contained than the original, according to Grangeia. EAP-based routers are the most vulnerable to Cupid as they need both an individual login and password, which an attacker would be able to pull from the router or server.
"The attack occurs before login, specifically on the authentication stage, so no credentials are needed to perform it," said Grangeia.
Android devices that are still running the 4.1.1 version of Jelly Bean are also particularly vulnerable through their wireless connectivity. An attacker could open up a connection to the device via the infected network and lift as much information as they want from the victim's phone.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Millions of Android devices still use the 4.1.1 version of Jelly Bean, despite an update being released in the wake of the original Heartbleed discovery. Mac OSX and iOS might also be at risk to Cupid, added Grangeia, who urged administrators to "test everything".
Most modern systems will have by now upgraded to a Heartbleed-proof version of OpenSSL by now, but no matter how thoroughly the security world tries, there will more than likely be more vulnerabilities in the future.