VPN bypass vulnerability affects Android Jelly Bean and KitKat
The vulnerability could allow attackers to intercept traffic from Android devices despite an active VPN connection
IDG News Service - A vulnerability in Android allows malicious applications to bypass an active VPN (virtual private network) connection and force traffic from the device through an attacker-controlled system where it can be intercepted, according to security researchers from Ben-Gurion University of the Negev in Israel.
Researchers from the university's Cyber Security Labs initially reported Jan. 17 that the vulnerability affects Android 4.3, known as Jelly Bean. However, upon further investigation they were also able to reproduce it on Android 4.4 KitKat, the latest major version of the mobile OS.
VPN technology is used to create an encrypted tunnel into a private network over the public Internet. Companies rely on VPN connections to allow employees to securely connect to corporate networks from remote locations, but it can also be used by others to protect communications from snooping when connected over insecure wireless networks since it allows accessing the Internet through the remote network's gateway.
A malicious app can exploit the newly identified Android vulnerability to bypass an active VPN connection and route all data communications from the device to a network address controlled by an attacker, the Ben-Gurion University researchers said Monday in a blog post. "These communications are captured in CLEAR TEXT (no encryption), leaving the information completely exposed. This redirection can take place while leaving the user completely oblivious, believing the data is encrypted and secure."
The malicious application doesn't require root privileges or VPN-specific permissions, they said Tuesday via email. Some permissions are needed, but nothing really special, they said. They declined to name the required permissions or to disclose any other technical details because it could expose the vulnerability and they are still waiting for Google to respond to their report.
The bypass works for the default VPN client included in Android and some third-party clients, but not all of them, they said, adding that they can't be more specific at the moment.
The vulnerability is related to a security issue the Ben-Gurion University researchers reported in December that they claim affects the security of Samsung KNOX, a security-hardened Android version designed to be used in enterprise environments. An app running in the nonsecure area of KNOX-based devices can exploit the issue to make network configuration changes that could allow attackers to intercept communications originating from the secure area, the researchers said at the time.
According to Samsung, the exploit uses legitimate Android network functions in an unintended way. The research does not demonstrate a vulnerability in Android or KNOX, but a classic man-in-the-middle (MitM) attack that occurs at any point on the network and can be mitigated by using VPN solutions or secure data transport protocols like SSL, the company said in a blog post Jan. 9.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Building a Bridge to the Next Generation Data Center Selecting a widely adopted operating system is a foundational component of a standardization strategy.
- OpenStack and Red Hat: IDC White paper Most OpenStack deployments are by public cloud providers that are early adopters of technology and use OpenStack in a do-it-yourself deployment and support...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Android White Papers | Webcasts