TWO MONTHS LATER and the Heartbleed SSL bug is still causing problems, this time for Android and WiFi users.
Despite the fact that the Heartbleed bug was patched, an vulnerability based on the same exploit has been discovered by Luis Grangeia of information security company Sysvalue.
The "Cupid" variation uses the same exploit as the original Heartbleed bug, but occurs in data intercepted between Android devices and WiFi routers, making both vulnerable to attack.
OpenSSL had been vulnerable to attack since 2011 and on discovery, security guru Bruce Schneiner underlined the level of severity of the bug by saying "On the scale of 1 to 10, this is an 11."
The Cupid exploit requires the Android device to be connected to a WiFi network running the EAP-PEAP, EAP-TLS or EAP-TTLS protocol, but an experienced and determined hacker would know just how to make this seemingly unlikely set of circumstances viable.
Although Android has been specifically singled out, Grangeia suggested that Cupid could affect other operating systems running the protocols, including iOS and OS X machines, VoIP devices and printers, and indeed Sysvalue's advice is to check everything.
Cupid has put an end to the belief that Heartbleed can be exploited only after a TLS handshake over a TCP connection. The exploit can also affect 802.1X (NAC) networks, even if they are wired.
In the wake of the Heartbleed bug, the Linux Foundation founded the Core Infrastructure Initative, financially supported by the industry, with a remit to ensure that SSL connections remain safe from another Heartbleed type attack. µ