Forgot your password?
typodupeerror
Android Encryption Security

VPN Encryption Vulnerability On Android 77

Posted by Soulskill
from the avoid-those-malicious-apps dept.
An anonymous reader writes "Cyber security labs at Ben Gurion University have uncovered a network vulnerability on Android devices which has serious implications for users of VPNs. This vulnerability enables malicious apps to bypass active VPN configuration (no root permissions required) and redirect secure data communications to a different network address. These communications are captured in clear text (no encryption), leaving the information completely exposed. This redirection can take place while leaving the user completely oblivious, believing the data is encrypted and secure."
This discussion has been archived. No new comments can be posted.

VPN Encryption Vulnerability On Android

Comments Filter:
  • by Kwyj1b0 (2757125) on Saturday January 18, 2014 @10:56AM (#45998537)

    TFA says that you need to run a malicious app that intentionally exploits that system. They tested multiple android devices (and I'm assuming different versions of the OS). Also, does this work with every VPN service (like Cisco AnyConnect), or only the native system?

    Would it be possible to test if any existing Play store app accidentally/intentionally triggers this exploit? I (like many Android users) don't pirate apps (even though my phone is rooted), but if the popular Play store apps are compromised, that would be a big deal for me.

    • by Anonymous Coward

      Flexible network redirection is there to help those apps that don't normally connect to secure servers to bypass those pesky secure connections when sending your personal data. It's not a bug, it's a feature.

    • by amorsen (7485)

      A VPN client app works by redirecting traffic away from its normal destination and towards a VPN server. It is obvious that if you allow two VPN apps to run at the same time, they get to fight over who gets to redirect the traffic -- and one of them could be nasty and redirect it to a malicious VPN server, with or without encryption.

      You could restrict it so that only one VPN client app is allowed to run at a time, but it is not clear to me that it would improve security significantly. A malicious app with V

  • using POT (Personal Open Terminal) should not skew the results?

  • This isn't a vulnerability at all. Apps can choose to ignore the default routing. Same on many operating systems. Windows and Linux, for example.

    • by wbr1 (2538558) on Saturday January 18, 2014 @11:18AM (#45998717)
      I also don't see the huge issue here. Perhaps this is the fabled clickbait?

      If an app is malicious and running on a machine, of course it can reroute, or look at data in RAM pre-encryption, or a number of other things.

      If you want to be more secure, then only do secure comms on a trusted network, where any VPN routing is done outside of your potentially compromised device, and other routes are blocked.

      • by naughtynaughty (1154069) on Saturday January 18, 2014 @11:28AM (#45998769)
        In this case the assertion is that a malicious app that doesn't have root privileges can re-route traffic. Apps without root can't reroute traffic, or look at RAM, controlled by other apps. If you know of a way for an unprivileged app on a Linux or Windows box to intercept and re-route a VPN connection, let us all know how it is done.
        • by DarkOx (621550)

          I was going to say this too. I have done a bit of sockets programing on Windows, Linux and AIX and I don't know of anyway to change the next hop for route for any traffic, especially traffic not from my application that does not require elevated privileges.

          More broadly speaking though all these platforms have gotten so large and complex any security at all is at this point I think largely and illusion. As long as security is based around people deploying quick prophylactics like "I'll use VPN and just enc

    • But in most other operating systems you can discern the routes rather easily. You can even change them easily. It is a vulnerability in my eyes. I expect turning on VPN to an alternate destination will encrypt and route ALL of my traffic to that endpoint.
  • Whew (Score:5, Funny)

    by oodaloop (1229816) on Saturday January 18, 2014 @11:19AM (#45998725)
    Good thing I don't use a VPN on my android phone! I might have been exposing my data!
  • This doesn't sound like vulnerability on the encryption at all but rather Android allow modification of routing table instead. This means any existing encryption stay in tact, just rather the data is going to be re-routed out of the VPN tunnel.

    • The article states that not only can the traffic be re-routed but it can be re-routed unencrypted. From the summary: "These communications are captured in clear text (no encryption)" The vulnerability bypasses the encryption and the routing.
  • I am a fan of full disclosure and all that, but does it have to be done on a Friday afternoon? Could you not sit on the bug for just one weekend and disclose it on Monday morning, so there is a chance that the right engineers to fix it are available?

    • by tqk (413719)

      Where's the fun in that? Sheesh.

    • by tlhIngan (30335)

      I am a fan of full disclosure and all that, but does it have to be done on a Friday afternoon? Could you not sit on the bug for just one weekend and disclose it on Monday morning, so there is a chance that the right engineers to fix it are available?

      Does it really matter? I mean, if Google fixes it in 4.4 on Monday, that still leaves almost every Android phone vulnerable as they won't get the patch, ever. The Nexus line doesn't form a huge part of the Android market.

      I don't think it's something that can be

    • There's no point in waiting. Android updates are hopeless.
  • Your VPN is one network interface going this way but you still have other interfaces on different IP addresses going that way and applications are free to choose which they use.

    • Totally. This is not a security problem with Linux/Android. This is what happens when you install malware on a computer.
  • "Now the user runs the malicious app and clicks on the Exploit button which takes advantage of the vulnerability in the phone’s system"

    All I see is, if you run an app on your own device then you can capture your own network traffic. If this ` malicious app ' can't get onto the device without user action then this isn't a vulnerability in Android.
  • Sounds like something they'd do for their buddies in the NSA.

I am not now, nor have I ever been, a member of the demigodic party. -- Dennis Ritchie

Working...