A Closer Look at the Android VPN Flaw
It’s been a rough couple of years for Android devices. Sure, there may have been more than 900 million of them activated in 2013 alone, but those impressive sales numbers do nothing to inhibit cyber criminals from exploiting these open source devices. We’ve discussed Android vulnerabilities at some length, and have demonstrated how a centrally managed VPN as part of a defense in depth secure remote access framework can mitigate many of these threats. However, the recent revelation from Ben Gurion University of malicious apps that can be used to bypass VPN configurations and push communications to a different network address changes the conversation entirely.
As Jeffrey Ingalsbe, director of the Center for Cyber Security and Intelligence Studies at the University of Detroit Mercy, told SC Magazine, that’s because this new vulnerability “attacks one of the [security] pillars we thought we could count on in the mobile world,” – VPNs. Ingalsbe is right – VPNs have been a cornerstone to secure remote access to corporate networks for a long time now, and the possibility that the peace of mind they ensure has been compromised is alarming. However, if we take a closer look at the vulnerability uncovered by Ben Gurion University, it becomes apparent that cyber criminals are attempting to use an old trick in a new disguise.
Man-in-the-middle (MitM) attacks, a form of which the researchers used to bypass VPN security, are actually pretty simple. They are designed to intercept communications between two endpoints (e.g. an Android device and a corporate network) before those communications have entered the safety of a VPN’s encrypted tunnel. Instead, the unencrypted data is redirected to an alternate location, such as a cyber criminal’s computer, where it is quickly stored on the device’s local hard drive before being passed along into the VPN and onto a corporate network. Thankfully, VPNs are only one component of a defense in depth secure remote access strategy.
Employee education is perhaps the most important step an enterprise can take to prevent this kind of attack. In order for the new Android VPN vulnerability to be an issue in the first place, a malicious app must first be downloaded. IT security professionals must be vigilant about educating their employees on the dangers of unsecure remote access, including the importance of verifying the legitimacy of any apps downloaded onto their devices. Bearing this in mind, it’s worth noting that VPNs themselves are safe, as long as IT and employees are working together to ensure all the necessary security precautions and protocols are being adhered.
As of right now, there have been no reported cases of the so-called Android VPN vulnerability being exploited by anyone other than the researchers at Ben Gurion University. However, emerging threats such as this always reinforce the necessity of having comprehensive remote access security. With 2014 still in its infancy, the time has never been better for enterprises to reevaluate their IT security infrastructure and work to patch any gaps that may exist.