Slashdot Mirror
Heartbleed Bug Exploited Over Extensible Authentication Protocol
wiredmikey (1824622) writes "While most organizations have patched the Heartbleed bug in their OpenSSL installations, a security expert has uncovered new vectors for exploiting the vulnerability, which can impact enterprise wireless networks, Android devices, and other connected devices. Dubbed 'Cupid,' the new attack method was recently presented by Portuguese security researcher Luis Grangeia, who debunked theories that Heartbleed could only be exploited over TCP connections, and after the TLS handshake. Unlike the initial Heartbleed attack, which took place on TLS connections over TCP, the Cupid attack happens on TLS connections over the Extensible Authentication Protocol (EAP), an authentication framework typically used in wireless networks and peer-to-peer connections.
The researcher has confirmed that default installations of wpa_supplicant, hostapd, and freeradius (RADIUS server implementation) can be exploited on Ubuntu if a vulnerable version of OpenSSL is utilized. Mobile devices running Android 4.1.0 and 4.1.1 also use wpa_supplicant to connect to wireless networks, so they're also affected. Everything that uses OpenSSL for EAP TLS is susceptible to Cupid attacks. While he hasn't been able to confirm it, the expert believes iPhones, iPads, OS X, other RADIUS servers besides freeradius, VoIP phones, printers, and various commercial managed wireless solutions could be affected."
The researcher has confirmed that default installations of wpa_supplicant, hostapd, and freeradius (RADIUS server implementation) can be exploited on Ubuntu if a vulnerable version of OpenSSL is utilized. Mobile devices running Android 4.1.0 and 4.1.1 also use wpa_supplicant to connect to wireless networks, so they're also affected. Everything that uses OpenSSL for EAP TLS is susceptible to Cupid attacks. While he hasn't been able to confirm it, the expert believes iPhones, iPads, OS X, other RADIUS servers besides freeradius, VoIP phones, printers, and various commercial managed wireless solutions could be affected."
Of course, lots of things can be exploited if you have a vulnerable version of openSSL running ;-)
Simple solution is to patch it although it might be harder on some devices.
Everything I write is lies, read between the lines.
the expert believes iPhones, iPads, OS X, other RADIUS servers besides freeradius, VoIP phones, printers, and various commercial managed wireless solutions could be affected
Nowhere on his page does the researcher say anything remotely like this. It's a really bad interpretation as he does not list any VoIP or printers or Apple products. Specifically to be vulnerable to this attack, the product must use a vulnerable version of OpenSSL. Certainly Apple does not use OpenSSL and there are other products that do not.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Some android phones cannot be updated without rooting them, if the manufacturer hasn't released an update.
While he hasn't been able to confirm it, the expert believes iPhones, iPads, OS X, other RADIUS servers besides freeradius, VoIP phones, printers, and various commercial managed wireless solutions could be affected.
From what I've gathered, Apple deprecated their use of OpenSSL in OS X back in December 2012 and iOS never had OpenSSL at all. So is he suggesting that they're vulnerable via RADIUS because Apple continued building or using an implementation that built against OpenSSL even after they had deprecated their use of it and before the bug was even introduced? It's certainly possible, but I'm a typical Slashdotter, so I haven't read the article.
Which is why my next phone won't be Android. I'm not sure what OS it's going to be running, but Android seems to be the worst at getting updates. Many phones don't even get a single update after they are shipped. Also, the updates from many phones are carrier specific because they had carrier specific firmware when they were originally sold, So there might be an update for your phone, but you can't easily install it because it's not for your carrier. If you go with a smaller carrier, you are often out of luck. After being burned by this type of situation with Android on my first real smart phone, I will not go with Android again.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
So get an unlocked phone and install CM. They're readily available.
That's not an Android problem. That's a carrier problem. At least with Android you can do something about it.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
It really depends on the phone. The HTC phone I bought recently has ROMs available before it officially went on sale. In fact, some unofficial ROMs like CM can have support and updates for a long time after the phone has been discontinued. (I bought the HTC phone because it has plenty of disk space, and it had a MicroSD slot, and with a quick app, the SELinux profile allowed for older apps to work with the external card without issue.)
I wouldn't discount Android just yet. Instead, I'd just be careful what model I buy, and watch features/specs.
If a SD card doesn't matter, a Nexus or GPE (Google Play Experience) device almost certainly will have the ability to unlock the bootloader in the future, so that may be the way to go.
Phones are the least of the worries IMO. There are so many internet connected consumer electronics devices around that are based on some lightweight linux stack - SmartTVs, home routers, set-top boxes, NAS boxes, IP security cameras etc come to mind. These things will NEVER get patched because the development teams that put together the original firmware for the last years model are often even not around anymore. "Install Cyanogenmod" is not an option either.
With the "Internet of Things" wave raising, this will only get worse.
I'm not sure there is a reasonable solution there, zero day exploits will continue to be around, and companies will continue to build "embedded" devices that are not really designed to take frequent software updates.
Maybe there is a room on market for consumer oriented security certification brand, which basically tells the buyer - yes, we have reviewed and tested the software stack on this device, and its reasonably safe and sound and the company behind it is reasonably committed to keeping it secure ?
http://validator.w3.org/check?uri=http%3A%2F%2Fwww.slashdot.org Errors found while checking this document as HTML5!
While Apple discourages OpenSSL, it looks like there are using freeradius which does use OpenSSL instead of own open source Secure Transport library ( of goto fail fame ). However it seems like it is using version 0.9.8, i.e. heartbleed free.
$ otool -L radiusd | grep -e libssl -e libcrypto
/usr/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current version 47.0.0)
/usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current version 47.0.0)
Did _you_ know that your wireless router was using OpenSSL to manage EAP? Or did you just assume that having SSH blocked and not serving HTTPS would be enough?
And even if you did, is it even possible for you to upgrade a single library on your access point?
Try going back to the original CVE, the plethora of vulnerability checkers, or any of the press surrounding it. Every reference to Heartbleed pointed to HTTPS or, rarely, TLS and VPN services as being vulnerable to the bug. Now pretend that you don't know the implementation details of WPA and EAP. Based on all of that, why would you even consider updating or replacing every wireless device you have which don't use HTTPS unless the manufacturer told you?
Moreover, when have manufacturers of popular wireless equipment _ever_ produced timely and relevant updates without at least eight months lead time and court cases in at least three countries?
But that costs money! If the users want a secure device they can just upgrade to a new phone. Just because you still have 15 months left on your contract is no excuse.
Any insufficiently advanced magic is indistinguishable from technology.