Heartbleed bug could target Android phones and wireless routers

Heartbleed has a new wireless-based attack vector, according to security expert's findings

Android phones and wireless routers accessible via Wi-Fi might be at risk from attackers utilising a new form of the Heartbleed bug, it has been revealed.

The security world is still feeling the effects of Heartbleed seven weeks after its discovery lead to websites scrambling to protect their data.

Security expert Luis Grangeia, a partner and security services manager at SysValue, has apparently found a vector through which the bug can attack wireless devices and Android phones.

Dubbed "Cupid", the new attack line would perform the same procedure as the original Heartbleed bug except over wireless connections instead of the open web.

It's unclear how many devices may be vulnerable but the spread will probably be more contained than the original, according to Grangeia. EAP-based routers are the most vulnerable to Cupid as they need both an individual login and password, which an attacker would be able to pull from the router or server.

"The attack occurs before login, specifically on the authentication stage, so no credentials are needed to perform it," said Grangeia.

Android devices that are still running the 4.1.1 version of Jelly Bean are also particularly vulnerable through their wireless connectivity. An attacker could open up a connection to the device via the infected network and lift as much information as they want from the victim's phone.

Millions of Android devices still use the 4.1.1 version of Jelly Bean, despite an update being released in the wake of the original Heartbleed discovery. Mac OSX and iOS might also be at risk to Cupid, added Grangeia, who urged administrators to "test everything".

Most modern systems will have by now upgraded to a Heartbleed-proof version of OpenSSL by now, but no matter how thoroughly the security world tries, there will more than likely be more vulnerabilities in the future.

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Recommended

What is hacktivism?
hacking

What is hacktivism?

13 Oct 2020
Microsoft: Iranian hackers are exploiting ZeroLogon flaw
Security

Microsoft: Iranian hackers are exploiting ZeroLogon flaw

6 Oct 2020
The Ritz suffers data breach after hackers pose as staff
data breaches

The Ritz suffers data breach after hackers pose as staff

17 Aug 2020
Russia hacked Liam Fox's personal email to steal trade documents
phishing

Russia hacked Liam Fox's personal email to steal trade documents

4 Aug 2020

Most Popular

How Liberty navigated a site relaunch during a pandemic
Sponsored

How Liberty navigated a site relaunch during a pandemic

8 Oct 2020
Do smart devices make us less intelligent?
artificial intelligence (AI)

Do smart devices make us less intelligent?

19 Oct 2020
Politicians need to stop talking about technology
Policy & legislation

Politicians need to stop talking about technology

21 Oct 2020