The heartbleed bug is back and this time it’s a different for of monster. The new variant of heartbleed is being dubbed “Cupid” by the security researcher who discovered it, Luis Grangeia. The “Cupid” bug can be used to launch heartbleed style attacks but this time on WiFi based routers (instead of the open web) and Android Jelly Bean devices connected to those routers. The bug allows hackers to target certain routers that are EAP based routers (e.g. require an individual logon and password, such as WiFi routers) by pulling the private security keys effectively bypassing any security measures. From this position the hackers could even view snippets of the working memory of the targeted devices potentially exposing user credentials, client certificates and private keys. The damage from this variant of heartbleed will apparently be much more contained than the first variant, however, it still isn’t known how many devices and routers are currently vulnerable to the attack. Any Android devices running 4.1.1 Jelly Bean are particularly vulnerable and if possible those users are encouraged to upgrade. Check out the technical details at the two source links.
Image courtesy of PCMag.com