Android flaw allows attackers to bypass VPN, capture unencrypted data

Share this article:
The vulnerability affects Samsung's Galaxy S4 which is currently used by government agencies.
Researchers at a university in Israel disclosed the vulnerability to Google.

Researchers have discovered an Android vulnerability that allows a malicious app to bypass virtual private network (VPN) configurations, and ultimately send unencrypted data to an attacker.

On Friday, Dudu Mimran, CTO of Ben-Gurion University's Cyber Security Labs in Israel, wrote a blog post detailing the vulnerability and posted a video demonstrating how to exploit it.  

According to Mimran, the exploit affects users running the Android 4.3 mobile operating system. Android 4.4 (KitKat) currently is being tested to see if it is susceptible.

“This vulnerability enables malicious apps to bypass active VPN configuration (no root permissions required) and redirect secure data communications to a different network address,” Mimran wrote. “These communications are captured in clear text (no encryption), leaving the information completely exposed. This redirection can take place while leaving the user completely oblivious, believing the data is encrypted and secure,” he warned.

According to Mimran, secure sockets layers (SSL) and transport layer security (TLS) traffic can be intercepted by an attacker leveraging the exploit, though the data would remain encrypted.

In a YouTube video, a researcher demonstrated the VPN bypass on a Samsung S4 device. In the background, a computer also displayed a packet capturing tool to show how traffic is redirected to saboteurs.

In this instance, researchers illustrated how an email sent from the phone could be hijacked (in clear text) by an attacker.

SCMagazine.com reached out to Google about the vulnerability, but did not immediately hear back from the company. Researchers at Ben-Gurion did, however, reveal that they disclosed the bug to Google on Friday.

On Monday, Jeffrey Ingalsbe, director of the Center for Cyber Security and Intelligence Studies at the University of Detroit Mercy, told SCMagazine.com in an interview that the vulnerability is of concern because it “attacks one of the [security] pillars we thought we could count on in the mobile world” – VPNs.

Worse yet, is the type of data that could fall into the hands of miscreants leveraging the attack, Ingalsbe added.

“Apps that typically require VPNs, or have them, are banking apps,” Ingalsbe said. “Some email apps will also connect via a VPN. It's a big deal because, one, people won't know about this [threat] and, two, because apps using them are really containing critical information.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

NIST finalizes cloud computing roadmap

NIST finalizes cloud computing roadmap

The NIST architecture is designed to accelerate the adoption of cloud computing.

Chinese MitM attack targets iCloud users

Chinese MitM attack targets iCloud users

The attack used a false certificate to trick iCloud users into handing over personal data and login credentials. With an attack of this size, some experts and researchers believe the ...

EPIC: driver data shared via V2V technology needs protection

The groups shared comments on V2V communications with the National Highway Traffic Safety Administration.