02 Jun 2014

Access Points and Android Devices Vulnerable to Heartbleed; Researcher Shows

Access points and Android devices using libraries linked to vulnerable versions of OpenSSL are affected by the Heartbleed bug, according to The Register.

Security Researcher Luis Grangeia discovered that, beside Android devices, wireless infrastructure and Radius servers, affected devices could include VoIP phones, iOS and OS X.

"The basis of the “Cupid” attack tool demonstrated by Grangeia in this slideshow is that the popular EAP-PEAP, EAP-TTLS and EAP-TLS authentication protocols might (depending on the underlying implementation) use the vulnerable version of OpenSSL," the article said. "While some access points will have been patched, there's probably a bunch that haven't been, if only because even enterprise users might not have realized that they were vulnerable."

It appears that Grangeia's Cupid tool allows an attacker to exploit the Heartbleed vulnerability on access points and on terminals.

“All these use a TLS tunnel over EAP to secure some part of the authentication process,” Grangeia said.

Grangeia's research demonstrates that the Heartbleed bug can be exploited over TCP and before the TLS handshake which, by the way, is unencrypted.