Researchers as Ben Gurion university in Israel have discovered a vulnerability in Android 4.4 KitKat that allows an attacker to intercept and divert secure virtual private network (VPN) traffic.
Writing in a blog post, the researchers note that: “a malicious app can bypass active VPN configuration (no ROOT permissions required) and redirect secure data communications to a different network address. These communications are captured in CLEAR TEXT (no encryption), leaving the information completely exposed.”
They go on to explain that the user could be totally oblivious to the attack, defined as a ‘man-in-the-middle’ attack, believing the connection to be encrypted and secure.
The team focussed their work on VPNs operating within the non-secure area of Samsung’s KNOX Enterprise system, using Galaxy S4 handsets.
Samsung denied that the vulnerability found on Android Jelly Bean was a fault of KNOX’s settings, and pointed out that the exploit used “legitimate Android functions in an unintended way”. Google has so far not responded to either of the security claims.
Following Samsung’s response, the Ben Gurion team identified the full VPN by-pass in Android 4.4. They point out that they used out-of-the-box devices and that the vulnerability required a few permissions, but “nothing really special”, as reported by Computer World.
The vulnerability cannot be used to break into traffic that has been encrypted before being sent. SSL email connections and HTTPS-enabled websites or other secure protocols would not be affected, as PC Advisor pointed out. But not all apps encrypt their traffic, meaning many communications could still be vulnerable to the VPN bypass.
According to The Register, the researchers have notified Google of the problem and hope that action will be taken soon, Dudu Mimran, from the University’s Cyber Security Labs, said “We think this has serious implications since KitKat is just rolling out and it may be a good time to check this out”.
VPN clients are used to create an encrypted connection to private network over the public internet, and are often used by companies to allow employees to connect remotely to their secure networks, as well as users who may be using unsecured wi-fi connections.