Android flaw allows attackers to bypass VPN, capture unencrypted data
Researchers at a university in Israel disclosed the vulnerability to Google.
Researchers have discovered an Android vulnerability that allows a malicious app to bypass virtual private network (VPN) configurations, and ultimately send unencrypted data to an attacker.
On Friday, Dudu Mimran, CTO of Ben-Gurion University's Cyber Security Labs in Israel, wrote a blog post detailing the vulnerability and posted a video demonstrating how to exploit it.According to Mimran, the exploit affects users running the Android 4.3 mobile operating system. Android 4.4 (KitKat) currently is being tested to see if it is susceptible.
“This vulnerability enables malicious apps to bypass active VPN configuration (no root permissions required) and redirect secure data communications to a different network address,” Mimran wrote. “These communications are captured in clear text (no encryption), leaving the information completely exposed. This redirection can take place while leaving the user completely oblivious, believing the data is encrypted and secure,” he warned.
According to Mimran, secure sockets layers (SSL) and transport layer security (TLS) traffic can be intercepted by an attacker leveraging the exploit, though the data would remain encrypted.
In a YouTube video, a researcher demonstrated the VPN bypass on a Samsung S4 device. In the background, a computer also displayed a packet capturing tool to show how traffic is redirected to saboteurs.
In this instance, researchers illustrated how an email sent from the phone could be hijacked (in clear text) by an attacker.
SCMagazine.com reached out to Google about the vulnerability, but did not immediately hear back from the company. Researchers at Ben-Gurion did, however, reveal that they disclosed the bug to Google on Friday.
On Monday, Jeffrey Ingalsbe, director of the Center for Cyber Security and Intelligence Studies at the University of Detroit Mercy, told SCMagazine.com in an interview that the vulnerability is of concern because it “attacks one of the [security] pillars we thought we could count on in the mobile world” – VPNs.
Worse yet, is the type of data that could fall into the hands of miscreants leveraging the attack, Ingalsbe added.
“Apps that typically require VPNs, or have them, are banking apps,” Ingalsbe said. “Some email apps will also connect via a VPN. It's a big deal because, one, people won't know about this [threat] and, two, because apps using them are really containing critical information.”