We’ve been keeping a close eye on a story related to a possible VPN bypass vulnerability in Android devices. Researchers in the cyber security lab of Ben Gurion University in Israel have been researching the issue. First making it known to Samsung that a vulnerability exists on their Knox devices. It would allow an attacker to bypass the built-in VPN features and some third party VPN apps to intercept communications in clear text.
The team at Ben Gurion University has published a series of blog posts detailing the issue. After Samsung dismissed the problem and pointed a finger at Google, the research team released more details on the vulnerability. They are still waiting on a response from Google’s security team. From what we’ve read and seen from a video posted on their site the issue looks real. If the research is right Android VPN users are at risk.
The cyber security team at Ben Gurion first uncovered the vulnerability for devices running Google’s Android 4.3 Jelly Bean. On Monday they published a new post outlining the issue on Android 4.4 KitKat as well. You can judge for yourself whether or not you think Android users are at risk by the vulnerability. Here’s a video they shared showing the VPN bypass issue on a Google Android 4.4 KitKat device.
We’re very interested to hear from those in the VPN industry as well. Does this seem like something that might affect your apps. I know it appears to be an issue with the underlining Android code but perhaps some VPN apps aren’t affected. The information from the Ben Gurion team isn’t complete enough to detail the issue in depth. That’s on purpose I’m sure to not help potential attackers make use of the bypass vulnerability.
Here is the cyber security teams posts so far for reference:
- Jan. 27 – Active VPN Bypass on Android KitKat – Disclosure Report
- Jan. 23 – Our Professional and Humble Response to Samsung
- Jan. 17 – VPN Related Vulnerability Discovered on an Android device – Disclosure Report
- Jan. 13 – Cyber Labs in the News
We also found these articles helpful in our research:
- PCWorld – VPN bypass vulnerability affects Android Jelly Bean and KitKat, researchers say
- Threatpost – Android VPN Bypass Vulnerability Affects KitKat As Well As Jelly Bean
- ZDNet – Android VPN flaw found, exposes protected data
We’ll keep you updated on the response from Google and any future posts from the research team.