The Israeli researchers who last week discovered a VPN bypass bug in Android’s Jelly Bean 4.3 build have done some further testing and said the vulnerability also affects Android’s most recent variety of the operating system, KitKat 4.4.
Like the Jelly Bean bypass bug, this vulnerability allows a malicious app to bypass a VPN configuration to redirect traffic to another network address.
Since KitKat has a modified security implementation the researchers were unable to use the same vulnerability code as they used for Jelly Bean, but were able to find one that worked. The vulnerability relies on getting a malicious app to bypass VPN configuration without needing root permission, to “redirect secure communications to a different network address.”
Dudu Mimran, the CTO of Cyber Security Labs, a division of Ben Gurion University in Be-er Sheva, Israel, initially discussed the Jelly Bean bug last week in a disclosure report.
Just like with that vulnerability, Mimran reports that the communications that pass between the VPN configuration on KitKat are done in clear text and without encryption, unbeknownst to the user.
The researchers have outlined their exploit in a video, first pointing out the build (4.4.2 in this case) before going on to trigger the exploit, connecting to the VPN and demonstrating how to collect sensitive SMTP information via a packet capturing tool.
According to the researchers, the way the KitKat vulnerability works borrows a bit from another vulnerability they found last year in Samsung’s Knox security platform. That vulnerability allowed an attacker to intercept communication between Knox and the outside files on Samsung S4 devices, and in turn, bypass Knox
Samsung and Google dismissed Ben Gurion and Cyber Security Labs’ Knox findings earlier this month claiming the exploit “uses Android network functions in an unintended way” and that the research presented was not a bug or flaw, but a classic man in the middle (MitM) attack. In a public response penned by the two firms, it was stressed that “Android provides built-in VPN and support for third-party VPN solutions to protect data” and that using either of them would “have prevented an attack based on a user-installed local application.” Cyber Security Labs countered Google and Samsung’s opinions with their own response last week.
So far the group has reported both VPN issues to Google via its vulnerability reporting tools but has yet to hear any other than the company is still looking into it. Given Google and Samsung’s response to the group’s Knox discovery, it should be interesting to see what they have to say once the dust settles.
Cyber Security Labs has clarified in the past that follows what it calls a “Responsible Full Disclosure Policy.” In situations like these it notifies the public of each issue it finds, without disclosing critical details that could lead someone to recreate the attack, and updates their blog with the company’s input throughout.