New Heartbleed vulnerability found in Android and Wi-Fi

"Cupid" attack vector uncovered by Portuguese researcher

Jane McCallion
30 May 2014

The Heartbleed attack that left encrypted data vulnerable to theft is still causing problems, according to a new report.

Luis Grangeia, partner and security services manager at information security firm SysValue, claims to have found a new vector that leaves wireless routers and Android devices vulnerable to attack.

Dubbed "Cupid", the vulnerability theoretically lets attackers capture data transmitted between Android devices and Wi-Fi routers.

Grangeia claims the attack uses the same procedure as Heartbleed, but it is carried out over Wi-Fi rather than the open web.

Devices running Android 4.1.1 are already known to be vulnerable to Heartbleed, however Grangeia warns iOS and OSX may also be at risk from Cupid and that administrators should "test everything".

He also claims Cupid dispels myths that "Heartbleed can only be exploited over TCP connections ... [or] after TLS handshake".

Grangeia's presentation on Cupid can be viewed in full here.

Existence of Heartbleed, a vulnerability in the widely used OpenSSL security protocol, was revealed back in April by researchers from Codenomicon.

However, it was found the bug had been present in OpenSSL's code since 2011.

Since its discovery, there has been a scramble to reissue security certificates and patch services.

Read more about: