Seven weeks after the bug put the web on high alert, Heartbleed is still causing problems. A new report from Portuguese security researcher Luis Grangeia describes how the same bug could be used over Wi-Fi to enable new kinds of attacks that build on the same vulnerability.
The damage will be much more contained than Heartbleed
Dubbed Cupid, the new line of attack would perform the same Heartbleed procedure over Wi-Fi instead of the open web, either pulling data from enterprise routers or using a malicious router to pull data from Android devices as they connect. In each case, the attacker would be able to view snippets of the working memory from the targeted device, potentially exposing user credentials, client certificates, or private keys. Grangeia published a proof of concept for the bug earlier today, and is urging vendors and administrators to upgrade their devices.
Any Android devices running the 4.1.1 version of Jelly Bean are vulnerable
It's still unclear how many devices are vulnerable, but the damage is likely to be much more contained than Heartbleed. The most vulnerable targets are EAP-based routers that require both an individual login and a password — a solution often found in wireless LANs. In those cases, an attacker could use Heartbleed to pull a private key from the router or authentication server, effectively bypassing any security measures. Grangeia says he hasn't done enough testing to estimate how many of those routers are running vulnerable configurations. More importantly, the attack could only target devices within Wi-Fi range, seriously limiting the potential targets. "This particular variant of the attack might be slower to close," Grangeia says, "But it should not be nearly as widespread as the original bug, since the universe of vulnerable devices is lower."
Another concern is Android devices still running the 4.1.1 version of Jelly Bean, which are known to be vulnerable to the bug. In a router-based attack, the attacker would offer an open Wi-Fi signal and then perform the Heartbleed attack to pull data from any connected devices. It's a new line of attack, leaving many Android devices newly vulnerable. As of last month, millions of devices were still running 4.1.1, including several variations of the HTC One. Many were updated in the wake of the attack, but others may still be vulnerable.
"We'll be seeing important Heartbleed hacks for years."
More broadly, it's a reminder that the security world is still working through the various effects of Heartbleed. Even after the central servers have been patched, researchers can discover more obscure attacks that go after less obvious targets. Vulnerable services like OpenSSL and TLS were widely used, leaving a broad range of potential targets. "The web and email are the biggest users of [TLS], but by no means the only ones" says Columbia professor Steve Bellovin, "Any unpatched implementations are at risk from Heartbleed." Most modern systems will have upgraded to a Heartbleed-proof version of OpenSSL by now, but there's always the concern that some access points will remain unpatched.
As for the broader impact of Heartbleed, Errata Security founder Robert David Graham estimates only half of the damage is cleaned up, suggesting Cupid may be the least of the communities troubles. "We'll be seeing important Heartbleed hacks for years," Graham told The Verge.