Active VPN Bypass on Android KitKat – Disclosure Report
Following our second vulnerability report where we demonstrated an active VPN bypass on Android Jelly Bean 4.3 we have decided to further investigate the existence of the vulnerability on Android KitKat 4.4. At first we could not reproduce it with the original vulnerability code since KitKat has a modified security implementation. Following an elaborate investigation we were able to reproduce the same vulnerability where a malicious app can bypass active VPN configuration (no ROOT permissions required) and redirect secure data communications to a different network address. These communications are captured in CLEAR TEXT (no encryption), leaving the information completely exposed. This redirection can take place while leaving the user completely oblivious, believing the data is encrypted and secure.
In the following video we demonstrate the vulnerability:
- The same vulnerability notes which are detailed in the previous report are still valid.
- This finding on Android KitKat is based on the same vulnerability as reported initially via WSJ. Following the original report Samsung and Google collaborated on a response where they denied that our findings demonstrate a bug or a flaw in Android or Samsung KNOX. A few days ago we have published our position here.
Earlier today contacted Google through their security email firstname.lastname@example.org and sent them a vulnerability alert with all the relevant information in an encrypted manner. We will update this blog post when new information becomes available or when progress is made in the analysis of this vulnerability. In addition, we will use this blog to issue warnings to those impacted by this vulnerability as soon as the impact is clarified. Once the issue will be resolved we will disclose here full details on the vulnerability.
- 17 Jan 2014 12:44 (GMT+2): Published the second disclosure report and submitted information to Google.
- 27 Jan 2014: Reported this KitKat related vulnerability to Google and published this disclosure report.
- 27 Feb 2014 – Google confirmed that a patch for this issue has been provided to Android OEMs.
Full details on our disclosure policy can be found here.
UPDATE (27 Jan):
We updated the disclosure log about a fix issued by Google.
Cyber Security Labs Team – Follow us via @cyberlabsbgu