back to article Android VPN redirect vuln now spotted lurking in Kitkat 4.4

Israeli researchers who specialise in ferreting out Android vulns have discovered a new flaw in KitKat 4.4 that allows an attacker to redirect secure VPN traffic to a third-party server. Late in 2013, the Ben Gurion University security researchers first discovered ways to persuade Android to leak data sent using VPN software. …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Surprise!

You know the drill....blah blah blah... security vuln.... blah blah blah ... always MS .... blah blah blah ... shake yourselves!

0
10
Silver badge

Re: Surprise!

Yes, WinPhone can't have a problem like this...

No VPN!

4
0
Anonymous Coward

Re: Surprise!

There's a selling point in itself. Your phone won't get you in trouble at work.

0
2
Silver badge

Another day, another vulnerability

Is it impossible to write software that isn't full of security holes? I am getting that impression. In the ten years that I had XP installed on my laptop, it was a regular series of 'important security updates', until it ran like a three-legged dog in treacle. Can anybody ever get it right?

2
1
Silver badge

Re: Another day, another vulnerability

Well, yes and no. Writing software that is provably correct is very difficult (if not actually impossible). Safety critical software has a huge literature and decades of experience on the subject and they're still far from achieving it in practical environments - such as flight control software that, worryingly for anyone who's been involved in software development, contains millions of lines of code.

That's the theoretical problem. The practical problem is that, in the real world, security is that which prevents me from getting on with my job. There have been attempts at writing a secure-by-design OS, but they either have limited functionality (compared with standard 'insecure' systems) or present the user with so many security hurdles that have to be jumped that they aren't often used in practice (except in some safety critical systems, and frequently not even then).

9
0
Silver badge

Re: Another day, another vulnerability

As others have said, yes and no.

There's a lot of formal dev techniques to demonstrate that a software design has been correctly implemented in source and compiled code, and there is some software is done that way (flight control software, things like Greenhill's INTEGRITY operating system, etc).

However, that's just part of the battle. First you have to be confident that the design itself is correct, never mind the source code that implements it. That's really hard to achieve; there's plenty of room for error there. For example, there was once a feature in Adobe Reader which left it wide open, and it affected Foxit too. The problem was that the PDF spec itself was flawed, and both Adobe Reader and Foxit had faithfully implemented it.

0
0
Anonymous Coward

Re: Another day, another vulnerability

What you can do is slow down, patch and fix holes and stop piling on features that aren't needed.

But as Bill Gates once said, users buy features not big fixes.

0
0

This post has been deleted by a moderator

Anonymous Coward

Well yes Linux does have a very high vulnerability count. However Linux itself is relatively Malware free as hardly anyone uses it as a desktop (vastly more risky than certain other platforms as a server though!)

However Android IS widely used - and is combined with a very insecure OS, not surprisingly is Malware central. What business in it's right mind would be using such a well known as insecure platform to connect to a VPN?! They must be nuts...

4
7
Anonymous Coward

Is this the same Israeli researchers that seem to be flooding the news with FUD?

I wonder who is bankrolling them? All their stories so far have turned out to be total and utter FUD.

4
8
Silver badge
FAIL

Re: Is this the same Israeli researchers that seem to be flooding the news with FUD?

Would this be the same FUD Samsung and Google have confirmed is an issue?

Muppet.

8
4
Anonymous Coward

Re: Is this the same Israeli researchers that seem to be flooding the news with FUD?

http://cyber.bgu.ac.il/blog/our-professional-and-humble-response-samsung

"9 Jan 2014 - Samsung released a public response, together with Google, in which they denied that it is a bug or flaw in Samsung KNOX or Android."

Seems you sir are the Muppet. I trust Google and Samsung far more than some pay for FUD security output.

3
4
Anonymous Coward

Re: I trust Google and Samsung

Your trust is misplaced.

1
2
Silver badge

Re: Is this the same Israeli researchers that seem to be flooding the news with FUD?

Back to you Kermit.....

"but both the mobe-maker and Google determined that the problem lay within Android"

1
1
Anonymous Coward

Re: Is this the same Israeli researchers that seem to be flooding the news with FUD?

So it's FUD when it's Android, but not when it's iOS or WinMobe? Just curious. Well that and I think that you are a fandroid.

1
2

Re: Is this the same Israeli researchers that seem to be flooding the news with FUD?

But, but, but google "Do No Evil", they love fluffy kittens, and they give android away free and they are not an evil corporation like Apple/Windows. As always fanboys be dumb whether they are Apple, google, windows or Samsung flavoured. Those rose tinted glasses sure make it hard to read articles.

1
1

Re: Is this the same Israeli researchers that seem to be flooding the news with FUD?

Not a bug. It's a feature.

Admittedly not a gods feature.

0
0

"Is it impossible to write software that isn't full of security holes?"

Yes, it is very much impossible.

Anyone who says they have made some software that is 100% bug free is either lying or doesn't know what they're talking about. Even for relatively simple software, for an entire operating system there's going to be bugs and lots of them no matter what system it is or how the development process works.

4
0
DJV
Mushroom

Indeed, and it's why many programmers like me were shitting themselves in the 1980s when Ronald Reagan's "Star Wars" system was proposed. That's the one that was going to require millions of lines of computer code that had to work properly the first time an invading missile was detected coming over the horizon (and not go bananas when a pigeon shat on a detector).

3
0
Bronze badge

KitKat 4.3?

I'm sure Rowntree are excited about the accidental marketing opportunities available if even The Register is confusing Android's name and its version codenames :)

4
0
Silver badge

Re: KitKat 4.3?

Indeed. Last I checked, 4.3 was grouped together with 4.2 as Jelly Bean (4.0 and 4.1 were grouped under Ice Cream Sandwich).

0
0
Bronze badge

Re: KitKat 4.3?

Sorry old chap, no cigar!

4.1.x/4.2.x/4.3.x is Jelly Bean, 4.0.x is ICS.

0
0
Paris Hilton

Re: KitKat 4.3?

Thank goodness we have such sensible and meaningful names as jelly bean, ice cream sandwich and kitkat to help us intuitively understand our releases, rather than those old confusing and misleading release numbers eh?

Paris because she probably has fantasies about all 3.

0
1
Silver badge

Re: KitKat 4.3?

> Thank goodness we have such sensible and meaningful names as jelly bean, ice cream sandwich and kitkat to help us intuitively understand our releases,

Perhaps you haven't worked it out yet. Here's a clue: it's alphabetic:

Apple Pie, Banana Bread, Cupcake, ... Ice Cream Sandwich, Jelly Bean, Kitkat. Can you guess what the next release name will start with ?

> rather than those old confusing and misleading release numbers eh?

3.1, 95, NT, 98, ME, 2000, XP, Vista, 7, 8.

That is not a set of 'confusing and misleading release numbers' at all.

1
0
Anonymous Coward

Re: KitKat 4.3?

Well other than the fact that 4.1, 4.2 and 4.3 are Jelly Bean, 4.0 was ICS and 4.4 is KitKat. I can see how that makes complete sense. But don't let facts and you fandroid luv-in blind you to any facts.

0
0
Silver badge

Have a Break.......

have a chip cracked

0
0
Bronze badge

It might be a vulnerability in Android 4.4 but no-one will notice since VPN is pretty broken in 4.4 anyway. VPN connects but either stops passing data after a minute, or just doesn't pass data at all.

Plenty of complaints about it -

https://code.google.com/p/android/issues/detail?id=61948

https://code.google.com/p/android/issues/detail?id=62714

for instance.

1
1
Silver badge

My problem is that I can't use Android's current VPN system as it doesn't support TAP (bridging) mode, which is the ONLY mode available at my other end.

0
0

Upon further investigation they were also able to reproduce it on Android 4.4 KitKat, the latest major version of the mobile OS.

0
0
Anonymous Coward

...It's not a vulnerability!!

Holy crap, so many articles about people misusing Android's VPN service... VPN is NOT meant to "secure your data" or anything like that! VPN is meant as an encrypted connection to your work network (for example). If a "bad guy" "redirects" the VPN, the app should detect that and stop sending data. And that's no problem since, ya know, you already lost the connection to your work network... There's no vulnerability here - the vulnerability is that people are using VPNService for things it's not meant to be used for.

0
0
This topic is closed for new posts.

Forums