We’re not quite finished cleaning up damage from the Heartbleed bug, a flaw mistakenly included with Internet security software that allows hackers to penetrate secure systems, essentially by using software cudgels to beat them like pinatas until passwords fall out. Dark suspicions have been voiced that government intelligence services knew about Heartbleed soon after it appeared, but kept the knowledge to themselves, allowing the problem to fester on the Internet and expose servers to attack for years.
The latest warning comes from a Portuguese security expert named Luis Grangeia, who found a way to hack into Droid cell phones over wi-fi networks, as explained at The Verge:
Dubbed Cupid, the new line of attack would perform the same Heartbleed procedure over Wi-Fi instead of the open web, either pulling data from enterprise routers or using a malicious router to pull data from Android devices as they connect. In each case, the attacker would be able to view snippets of the working memory from the targeted device, potentially exposing user credentials, client certificates, or private keys. Grangeia published a proof of concept for the bug earlier today, and is urging vendors and administrators to upgrade their devices.
It’s still unclear how many devices are vulnerable, but the damage is likely to be much more contained than Heartbleed. The most vulnerable targets are EAP-based routers that require both an individual login and a password — a solution often found in wireless LANs. In those cases, an attacker could use Heartbleed to pull a private key from the router or authentication server, effectively bypassing any security measures. Grangeia says he hasn’t done enough testing to estimate how many of those routers are running vulnerable configurations. More importantly, the attack could only target devices within Wi-Fi range, seriously limiting the potential targets. “This particular variant of the attack might be slower to close,” Grangeia says, “But it should not be nearly as widespread as the original bug, since the universe of vulnerable devices is lower.”
Unfortunately, the popular “Jelly Bean” build of the Droid smartphone operating system (officially version 4.1.1, but Droid builds are always given nicknames) includes the Heartbleed bug, and it’s somewhat more difficult to update a large number of smartphones than install computer patches. Also, the original Heartbleed problem mostly posed a problem for large, secure servers (banks, email services, etc.) which have largely been patched at this point, but now Grangeia’s work suggests there are few million more bleeding electronic hearts tucked into pockets and purses. And, as The Verge observes, it’s scary that new permutations of Heartbleed are still being discovered. Even when all systems are secure, it may take a while to assess how much damage has been done. How many of these vulnerabilities did hackers find and quietly exploit over the years, knowing that Heartbleed exploits leave no trace of intrusion?
The Heartbleed saga has been a hair-raising moment for the Internet, but it was also one of the computer world’s brightest hours, as dedicated researchers and security techs scrambled to discover vulnerabilities and issue timely warnings. A great deal of remarkable work has been done coping with this problem. Let’s just hope the white-hat programmers were quicker on the draw than the hackers.