back to article Android VPN redirect vuln now spotted lurking in Kitkat 4.4

Israeli researchers who specialise in ferreting out Android vulns have discovered a new flaw in KitKat 4.4 that allows an attacker to redirect secure VPN traffic to a third-party server. Late in 2013, the Ben Gurion University security researchers first discovered ways to persuade Android to leak data sent using VPN software …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Surprise!

    You know the drill....blah blah blah... security vuln.... blah blah blah ... always MS .... blah blah blah ... shake yourselves!

    1. Tom 35 Silver badge

      Re: Surprise!

      Yes, WinPhone can't have a problem like this...

      No VPN!

      1. Anonymous Coward
        Anonymous Coward

        Re: Surprise!

        There's a selling point in itself. Your phone won't get you in trouble at work.

  2. frank ly Silver badge

    Another day, another vulnerability

    Is it impossible to write software that isn't full of security holes? I am getting that impression. In the ten years that I had XP installed on my laptop, it was a regular series of 'important security updates', until it ran like a three-legged dog in treacle. Can anybody ever get it right?

    1. Chris Miller

      Re: Another day, another vulnerability

      Well, yes and no. Writing software that is provably correct is very difficult (if not actually impossible). Safety critical software has a huge literature and decades of experience on the subject and they're still far from achieving it in practical environments - such as flight control software that, worryingly for anyone who's been involved in software development, contains millions of lines of code.

      That's the theoretical problem. The practical problem is that, in the real world, security is that which prevents me from getting on with my job. There have been attempts at writing a secure-by-design OS, but they either have limited functionality (compared with standard 'insecure' systems) or present the user with so many security hurdles that have to be jumped that they aren't often used in practice (except in some safety critical systems, and frequently not even then).

    2. bazza Silver badge

      Re: Another day, another vulnerability

      As others have said, yes and no.

      There's a lot of formal dev techniques to demonstrate that a software design has been correctly implemented in source and compiled code, and there is some software is done that way (flight control software, things like Greenhill's INTEGRITY operating system, etc).

      However, that's just part of the battle. First you have to be confident that the design itself is correct, never mind the source code that implements it. That's really hard to achieve; there's plenty of room for error there. For example, there was once a feature in Adobe Reader which left it wide open, and it affected Foxit too. The problem was that the PDF spec itself was flawed, and both Adobe Reader and Foxit had faithfully implemented it.

    3. Anonymous Coward
      Anonymous Coward

      Re: Another day, another vulnerability

      What you can do is slow down, patch and fix holes and stop piling on features that aren't needed.

      But as Bill Gates once said, users buy features not big fixes.

  3. This post has been deleted by a moderator

    1. Anonymous Coward
      Anonymous Coward

      Well yes Linux does have a very high vulnerability count. However Linux itself is relatively Malware free as hardly anyone uses it as a desktop (vastly more risky than certain other platforms as a server though!)

      However Android IS widely used - and is combined with a very insecure OS, not surprisingly is Malware central. What business in it's right mind would be using such a well known as insecure platform to connect to a VPN?! They must be nuts...

  4. Anonymous Coward
    Anonymous Coward

    Is this the same Israeli researchers that seem to be flooding the news with FUD?

    I wonder who is bankrolling them? All their stories so far have turned out to be total and utter FUD.

    1. Anonymous Coward
      FAIL

      Re: Is this the same Israeli researchers that seem to be flooding the news with FUD?

      Would this be the same FUD Samsung and Google have confirmed is an issue?

      Muppet.

      1. Anonymous Coward
        Anonymous Coward

        Re: Is this the same Israeli researchers that seem to be flooding the news with FUD?

        http://cyber.bgu.ac.il/blog/our-professional-and-humble-response-samsung

        "9 Jan 2014 - Samsung released a public response, together with Google, in which they denied that it is a bug or flaw in Samsung KNOX or Android."

        Seems you sir are the Muppet. I trust Google and Samsung far more than some pay for FUD security output.

        1. Anonymous Coward
          Anonymous Coward

          Re: I trust Google and Samsung

          Your trust is misplaced.

        2. Anonymous Coward
          Anonymous Coward

          Re: Is this the same Israeli researchers that seem to be flooding the news with FUD?

          Back to you Kermit.....

          "but both the mobe-maker and Google determined that the problem lay within Android"

        3. midcapwarrior

          Re: Is this the same Israeli researchers that seem to be flooding the news with FUD?

          Not a bug. It's a feature.

          Admittedly not a gods feature.

    2. Anonymous Coward
      Anonymous Coward

      Re: Is this the same Israeli researchers that seem to be flooding the news with FUD?

      So it's FUD when it's Android, but not when it's iOS or WinMobe? Just curious. Well that and I think that you are a fandroid.

      1. Disintegrationnotallowed

        Re: Is this the same Israeli researchers that seem to be flooding the news with FUD?

        But, but, but google "Do No Evil", they love fluffy kittens, and they give android away free and they are not an evil corporation like Apple/Windows. As always fanboys be dumb whether they are Apple, google, windows or Samsung flavoured. Those rose tinted glasses sure make it hard to read articles.

  5. Paul Hayes 1

    "Is it impossible to write software that isn't full of security holes?"

    Yes, it is very much impossible.

    Anyone who says they have made some software that is 100% bug free is either lying or doesn't know what they're talking about. Even for relatively simple software, for an entire operating system there's going to be bugs and lots of them no matter what system it is or how the development process works.

    1. DJV Silver badge
      Mushroom

      Indeed, and it's why many programmers like me were shitting themselves in the 1980s when Ronald Reagan's "Star Wars" system was proposed. That's the one that was going to require millions of lines of computer code that had to work properly the first time an invading missile was detected coming over the horizon (and not go bananas when a pigeon shat on a detector).

  6. Robert Grant

    KitKat 4.3?

    I'm sure Rowntree are excited about the accidental marketing opportunities available if even The Register is confusing Android's name and its version codenames :)

    1. Charles 9 Silver badge

      Re: KitKat 4.3?

      Indeed. Last I checked, 4.3 was grouped together with 4.2 as Jelly Bean (4.0 and 4.1 were grouped under Ice Cream Sandwich).

      1. Brian Morrison

        Re: KitKat 4.3?

        Sorry old chap, no cigar!

        4.1.x/4.2.x/4.3.x is Jelly Bean, 4.0.x is ICS.

        1. Immenseness
          Paris Hilton

          Re: KitKat 4.3?

          Thank goodness we have such sensible and meaningful names as jelly bean, ice cream sandwich and kitkat to help us intuitively understand our releases, rather than those old confusing and misleading release numbers eh?

          Paris because she probably has fantasies about all 3.

          1. Richard Plinston Silver badge

            Re: KitKat 4.3?

            > Thank goodness we have such sensible and meaningful names as jelly bean, ice cream sandwich and kitkat to help us intuitively understand our releases,

            Perhaps you haven't worked it out yet. Here's a clue: it's alphabetic:

            Apple Pie, Banana Bread, Cupcake, ... Ice Cream Sandwich, Jelly Bean, Kitkat. Can you guess what the next release name will start with ?

            > rather than those old confusing and misleading release numbers eh?

            3.1, 95, NT, 98, ME, 2000, XP, Vista, 7, 8.

            That is not a set of 'confusing and misleading release numbers' at all.

            1. Anonymous Coward
              Anonymous Coward

              Re: KitKat 4.3?

              Well other than the fact that 4.1, 4.2 and 4.3 are Jelly Bean, 4.0 was ICS and 4.4 is KitKat. I can see how that makes complete sense. But don't let facts and you fandroid luv-in blind you to any facts.

  7. ukgnome

    Have a Break.......

    have a chip cracked

  8. Andrew Jones 2

    It might be a vulnerability in Android 4.4 but no-one will notice since VPN is pretty broken in 4.4 anyway. VPN connects but either stops passing data after a minute, or just doesn't pass data at all.

    Plenty of complaints about it -

    https://code.google.com/p/android/issues/detail?id=61948

    https://code.google.com/p/android/issues/detail?id=62714

    for instance.

    1. Charles 9 Silver badge

      My problem is that I can't use Android's current VPN system as it doesn't support TAP (bridging) mode, which is the ONLY mode available at my other end.

  9. micjustin33

    Upon further investigation they were also able to reproduce it on Android 4.4 KitKat, the latest major version of the mobile OS.

  10. Anonymous Coward
    Anonymous Coward

    ...It's not a vulnerability!!

    Holy crap, so many articles about people misusing Android's VPN service... VPN is NOT meant to "secure your data" or anything like that! VPN is meant as an encrypted connection to your work network (for example). If a "bad guy" "redirects" the VPN, the app should detect that and stop sending data. And that's no problem since, ya know, you already lost the connection to your work network... There's no vulnerability here - the vulnerability is that people are using VPNService for things it's not meant to be used for.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019