VPN flaw makes Android Jelly Bean and KitKat susceptible to hijacking

Android versions 4.3 and 4.4 have been found to contain a critical flaw in the implementation of the VPN service, which could allow hackers to transmit data transferred within the network to third-party servers.

According to the latest security advisory from Computer Emergency Response Team of India (CERT-In), the flaw which is present in Jelly Bean and KitKat flavours of the Android operating system could allow hackers to bypass security configurations of a VPN and transmit the data shared within the network to a third-party server.

The advisory also mentions that unencrypted communication within such networks can be intercepted by hackers, effectively defeating the purpose of using a VPN. Israeli security researchers were the first to find the vulnerability while testing Samsung's KNOX enterprise security suite for Android on the Galaxy S4, but later found that it was present on all devices running the mentioned Android versions.

Samsung had provided a statement with regards to the revelation saying, "Android development practices encourage (apps to use) SSL/TLS. Where that's not possible Android provides built-in VPN. Use of SSL/TLS would have prevented an attack based on a user-installed local application, (which exploited VPN flaw)." However, as the users themselves cannot guarantee whether apps are using sufficient security measures, it would be wise to install trusted apps and exercise caution till Google releases a fix in the near future.

Source: Times of India | Image via PocketNow

Report a problem with article
Previous Story

Facebook app for Windows 8.1 updated with new features and improvements

Next Story

Microsoft will offer OneDrive for Business as stand alone service starting April 1st

9 Comments

"Android development practices encourage (apps to use) SSL/TLS. Where that's not possible Android provides built-in VPN. Use of SSL/TLS would have prevented an attack based on a user-installed local application, (which exploited VPN flaw)."

Apple and Oranges comparison here. VPNs are not used in place of SSL. They are two separate topics with different applications. The only common ground is that they both provide some level of encryption.

The point (I think) Samsung is trying to make is that most applications communicate in an encrypted way regardless of VPN connection status. This VPN flaw would only compromise un-encrypted application data. I'd argue that some of the reasons people use VPNs is to connect to their work infrastructure where internal encryption has probably not been paramount.

Nothing new to the news these days. Flaw will get patched, and another one discovered. Doesnt matter what platform you are on.

techbeck said,
Nothing new to the news these days. Flaw will get patched, and another one discovered. Doesnt matter what platform you are on.

Seems to me though that lately the flaws being reported are (a) pretty nasty, in the sense that something that should've "just worked", suffers from a fundamentally broken implementation and (b) the news on the Windows side are pretty limited (ie, this on Android, last week's GotoFail from Apple, etc).

I mean, yeah, MS still releases patches for critical vulnerabilities, but really, compared to some of these, they're down to the "technically feasible but in actuality the stars have to align just right in order to be exploitable" type of problems.

I kind if think these flaws existed in past software. It just that people are trying more and more every day to hack in to something. So I am sure the reports will keep increasing. Which is good as they get found out, reported, and 9 times out of 10, patched.

The problem is not very many people update android for what ever reason. The most popular version Android is not the latest. Android has lots of these flaws this why lot business have rejected Android. iOS does have flaws but its updated way faster then Android user base updates Android releases.

Not updating and the consequent fragmentation of the Android market is most often not the users' fault. Unless they want to mess with custom ROMs they have to wait and hope and pray that the device manufacturer releases an update, which often never happens.

"Android has lots of these flaws this why lot business have rejected Android"

Personally,
With the way they are constantly coming out with new phones and updated OS versions and cramming crap onto them, I doubt ANY phone is really very secure and even if they are, most people pay little to no attention to that fact and probably don't how to update/patch them either. They just use the heck out of them until it's time to get a new one.

I know I wouldn't use a phone over some network other than my own, and still then only if I had to.

Commenting is disabled on this article.