New Android vulnerability allows data to be stolen from VPN connections [updated]
Security researchers at Ben Gurion University have demonstrated a networking related security vulnerability in Android which allows a malicious app to bypass an active VPN connection and redirect the traffic to a different server. That server in turn has complete access to all the data which the device was sending over the VPN. Normally VPN connections are encrypted but due to the bugs in Android the data which arrives at the fake destination is unencrypted. If the fake server then sends the data on to its original destination it is possible that the Android user could remain unaware that the connection has been compromised.
The bad news
The vulnerability can be exploited on any Android device and doesn’t need root access. Any malicious app that wants to take advantage of this security hole doesn’t need any VPN specific permissions. This means it isn’t possible to identify malicious intent just from the permissions the app requests.
The exploit can be built into any app and once the app has been run the VPN connection becomes insecure. The vulnerability is present in Android 4.3 and Android 4.4 KitKat.
testing is currently underway.
VPNs are used for two main reasons. First, to encrypt an otherwise insecure connection (e.g. public Wi-Fi or a connection onto a private business network) or secondly, to defeat access restrictions based on geolocation or Internet provider (e.g. those in countries with oppressive regimes that filter and block Internet access).
In both these situations a comprised VPN connection can be a very real danger especially for those in countries where accessing forbidden parts of the Internet is punishable by law.
The good news
However there is some good news. First, to exploit this vulnerability an app, which knows how to divert the VPN traffic using this method, needs to be installed on the Android device . In the demonstration given by Dudu Mimran, the CTO of Ben Gurion University’s Cyber Security Labs, a special app was installed to cause the divert to happen. Without a malicious app installed the VPN can’t be diverted.
This means that if a concerned user only installs apps from Google Play then this should dramatically reduce the chances of an app being installed which can exploit this weakness. Since Google has been informed by the university about the nature of this attack it is likely (but not guaranteed) that Google will update its in-house malware scanners to weed out any apps submitted to the Play Store which try to exploit this problem.
Secondly, the details of the vulnerability are still private. Although the university has announced that a vulnerability exists it hasn’t published the details of how it works. This means that unless this error has been previously discovered (but not reported) then there are currently no known exploits in the wild.
The final bit of good news is that all SSL/TLS traffic, even if captured with this exploit, remains encrypted. Leaving aside the possibility that certain governments may have the ability to decrypt SSL traffic, if a user makes use of a service (say an email service) which encrypts all of its traffic then the user will remain protected even if the VPN is compromised.
Although this is a serious flaw in Android, the way in which it needs to be exploited means that at the moment it doesn’t present a danger to the average Android user. VPN users should proceed with caution and they should certainly avoid installing any apps from untrusted sources.