Pic: tabtimes
Security researchers at Ben Gurion University have discovered a serious flaw on Android’s VPN implementation, exposes protected data. As per the researchers, the Android vulnerability allows a malicious app to bypass virtual private network (VPN) configurations( no root permission required) , and ultimately send unencrypted data to an attacker.
“The secure data communications can be captured in CLEAR TEXT , leaving the information completely exposed. This redirection can take place while leaving the user completely oblivious, believing the data is encrypted and secure.”
According to the researchers, the attack relates to Knox exploit, and works against a properly configured VPN on Android 4.3 devices from multiple vendors. While the exploit can also affect SSL/TLS traffic, it remains encrypted after capture.
The demonstration of this was posted on youtube :
As per Dudu Mimran, CTO of Ben-Gurion University’s Cyber Security Labs in Israel, they reported this to Google and Samsung on the vulnerabilities.
Full details can be found at the university blog
