Slashdot Mirror
VPN Encryption Vulnerability On Android
An anonymous reader writes "Cyber security labs at Ben Gurion University have uncovered a network vulnerability on Android devices which has serious implications for users of VPNs. This vulnerability enables malicious apps to bypass active VPN configuration (no root permissions required) and redirect secure data communications to a different network address. These communications are captured in clear text (no encryption), leaving the information completely exposed. This redirection can take place while leaving the user completely oblivious, believing the data is encrypted and secure."
Better blacklist windows, apple, blackberry, desktops, laptops.... Everything is vulnerable. Even your users. Its how you mitigate the ongoing risk that separates the men from the boys.
If you are competent enough to use MDM on your mobile devices then your end users wouldn't be installing non-approved apps anyway so they would be at minimal risk of exposure to this. If you are not, then you are just a clueless blow-hard moron and don't deserve to be in your position..
---- Booth was a patriot ----
TFA says that you need to run a malicious app that intentionally exploits that system. They tested multiple android devices (and I'm assuming different versions of the OS). Also, does this work with every VPN service (like Cisco AnyConnect), or only the native system?
Would it be possible to test if any existing Play store app accidentally/intentionally triggers this exploit? I (like many Android users) don't pirate apps (even though my phone is rooted), but if the popular Play store apps are compromised, that would be a big deal for me.
Or, just don't depend on the embedded Android VPN and move to a MicroVPN that does not use the Native VPN client. Citrix Netscaler and other SSL VPN venders offer this and it has much better battery life and device performance in general since you are not using a fat client app.
If an app is malicious and running on a machine, of course it can reroute, or look at data in RAM pre-encryption, or a number of other things.
If you want to be more secure, then only do secure comms on a trusted network, where any VPN routing is done outside of your potentially compromised device, and other routes are blocked.
Silence is a state of mime.
Good thing I don't use a VPN on my android phone! I might have been exposing my data!
Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
In this case the assertion is that a malicious app that doesn't have root privileges can re-route traffic. Apps without root can't reroute traffic, or look at RAM, controlled by other apps. If you know of a way for an unprivileged app on a Linux or Windows box to intercept and re-route a VPN connection, let us all know how it is done.
But in most other operating systems you can discern the routes rather easily. You can even change them easily. It is a vulnerability in my eyes. I expect turning on VPN to an alternate destination will encrypt and route ALL of my traffic to that endpoint.
Although a bit flippant, the parent does have a point. Most older Android devices will never see a security update or fix for this issue. It is what it is, and unless that changes, a valid response it to require a minimum level of OS on the device. This is one area where Apple excels and Android does not.
If you are competent enough to use MDM on your mobile devices then your end users wouldn't be installing non-approved apps anyway
Bullshit Apple at least has gone out of their way to make this nearly impossible. Anything you can do to remove access to the App store with any of the MDMs while the device is on the carrier network is either trivially by passed by end users, or also make doing things like installing updates for approved apps completely broken.
At best you can deny micro VPN connections and sandboxed services when unapproved apps are detected, while possibly acceptable from a security standpoint its kind of closing the barn door after the horses are out for a user perspective. They just paid $5 for their app because they "forgot company policy about not installing other apps," and now your telling them they can't use it? Does not fly well.
Then there is the little matter of the fact you can't micro VPN just anything on IOS, unless its an in house app or the app vendor is willing to make ipks available, you are SOL. Which leaves you going back to things like AnyConnect or the builtin IPSec VPN; followed shortly by the users crying about how hard it is to type their password when they need to connect, so you say will okay we can use certificate only authentication but now we need a strong password on the device, and reasonable lock screen timeout, so we know its you and not the guy who grabbed it after you left in on the seat of the bus. When you do that they really pitch a fit.
IOS devices are a disaster in terms of DLP and asset management.
Things are a tad bit better on the Android side of the house with regard to MDM, yes. I am not so sure its much better on the over all security. There seems to be lots more malware in the wild.
As far as I know from a little testing with MDM demos provided by vendors and my contacts most of them fail utterly to actually detect rooted devices. They typically look for pirate ( as in radio, not warez) app stores and root tools. They often can't tell the kernel has been modified, boot loader is unlocked, etc if minor efforts to conceal the usual tools are under taken. As Corporate MDM becomes more common the rooting community is going to start making kits that are evasive and is almost sure to succeed given the current state of MDM. To say nothing of the true malware authors out there are probably already doing.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
I was going to say this too. I have done a bit of sockets programing on Windows, Linux and AIX and I don't know of anyway to change the next hop for route for any traffic, especially traffic not from my application that does not require elevated privileges.
More broadly speaking though all these platforms have gotten so large and complex any security at all is at this point I think largely and illusion. As long as security is based around people deploying quick prophylactics like "I'll use VPN and just encrypt all the traffic" we are going to continue to get burned every time someone discovers a little used API that turns on source routing or similar. The same is largely true for "run it in a vm" or "add a sandbox".
Probably until someone develops an entirely new platform with the realities of modern networks in mind every step of they we will continue to get pwnd.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
And is grounds for termination on the spot. Circumvention of corporate resources is frowned upon.
Sure MDM isn't *perfect* ( same as "everything is vulnerable"... ) but it goes a long way to prevent people from doing wrong things, and goes even further to help catch them doing it.
Now, that out of the way, some vendor's MDM is far better than others, sounds like you have been involved with the 'not as better' group.
---- Booth was a patriot ----
This doesn't sound like vulnerability on the encryption at all but rather Android allow modification of routing table instead. This means any existing encryption stay in tact, just rather the data is going to be re-routed out of the VPN tunnel.
-=-=-=-=-=-=-=-=-=-=-=-=-=- If picture worth a thousand words, how many megapixels is it? -=-=-=-=-=-=-=-=-=-=-=-=-=-
I believe we need a new Godwin's law that kicks in the first time someone expresses their opinion by calling someone else a moron or an idiot. I sometimes run OpenVPN on my Android handset; The phone is my property, I am not an end user, and the reason I use OpenVPN is nothing to do with work. So no I do not have "MDM" and am also NOT A MORON.
"Don't belong. Never join. Think for yourself. Peace." V.Stone, Microsoft Corporation
I am going to need to update our companies VPN black list to include all android devices. End of story. Problem solution.
Why would you let them on your corporate network in the first place? Who knows what random fluffy kitty screensaver apps users have installed that are happily stealing all your stuff and sending it to the Chinese government or Russian mafia?