Cupid Pumps New Life into Heart of Heartbleed

Researchers from the security firm Sysvalue have demonstrated a slew of ways that Heartbleed can still be utilized to sneak into your iOS and Android devices, as well as standard desktops that have yet to be fully updated with the appropriate certificates designed to ward off these types of attacks.

A custom-built malware called “Cupid” (a play on the heart theme of the virus), was built and deployed to a range of devices by an information technology engineer at the company named Luis Grangeia, who demonstrated his invention on an Android cellphone connected to a standard public Wi-Fi portal much like one you might find at a local McDonalds or Starbucks cafe.

More specifically, any Wi-Fi running the EAP-PEAP, EAP-TLS or EAP-TTLS protocol can easily be tricked into accepting data from unknown sources, which can then be redistributed right back through the same channels to anyone who might be connected to the network at the time of infection.

By viewing the snippets of working memory, a hacker is able to easily extract information about someone’s connection that would otherwise be masked under a mountain of encryption. This strips away the need to pack on as much processing power as possible to brute force their way into someone’s machine, instead relying on a shortcut to give them the password for entry without the machine in question even realizing the secret of the magic trick behind the scenes has already been revealed.

This tactic is especially devious because unlike most other Heartbleed exploits and its hundreds of variants that sprang off in the two years it went unpatched, this method allows an attacker to mass spam as much malware as they can fit through the pipes in a single burst. This effectively turns a single hotspot into a shotgun of spyware, blasting out dozens, even hundreds of bits of corrupted code all in one go.

This sort of “one-stop shop” mentality is becoming more and more popular on the underground circuit, with many hackers choosing the high-risk high-reward style of spreading infections over the slower, more methodical avenues of distribution which have served the community so well for the past two decades and then some.

As of now the most vulnerable version of Android seems to be Jelly Bean 4.1.1, with anything after that running a patched update which could, in theory, hold off anything that Cupid may try to throw at it in a public setting. According to recent statistics posted just last month, there are still millions of phones and tablets running the outdated build, which makes this issue a major concern for anyone who plans to connect to the same network as someone who hasn’t kept up with the update schedule as fastidiously as the rest of us.

Cupid has put an end to the belief that Heartbleed can be exploited only after a TLS handshake over a TCP connection, as well as the idea that the exploit is incapable of affecting 802.1X (NAC) networks, even if they are wired.

Grangeia has already posted his proof of concept to github for fellow researchers and device manufacturers to start pouring over, and has urged both to find and apply a solution to the problem as soon as they’re able.