Android KitKat Has a VPN Vulnerability
The KitKat release of the Android operating system has a security vulnerability that affects VPN users. The vulnerability allows an attacker to bypass the VPN connection altogether. The attacker can then force any network communication from the device through a system of their choosing.
The vulnerability was reported by Cyber Security Labs at the end of January. The issue was already discovered in the 4.3 release of Android—called Jelly Bean—but was also found to be a problem for the 4.4 version of the software.
Ben-Gurion University researchers in Israel released the information, explaining that, using a malicious app, an attacker could force network traffic through their own servers. That traffic would not have VPN protection on it, which means that it would be readable by anyone intercepting it, creating a serious security issue.
Attackers don’t need to have root privileges on the device to exploit the vulnerability.
The researchers said that some VPN apps secure against this type of attack, but not all of them do. Android OS comes with its own VPN client, but that client was found to be vulnerable to the attacks. The researchers have not released information regarding which apps work to protect against this particular problem and which do not.
What to Do
The most important security measure you can take with a mobile device is to not hook up to unsecured networks. This prevents many types of attacks. Make sure the settings on any mobile device you use do not allow it to connect to any open networks.
Home networks need to be locked down with a password, for this and many other reasons.
While there is no information about which apps prevent this type of an attack, the Android OS app itself is vulnerable, so you may want to consider switching to a different app to handle your VPN connection if you’re using the included one. Most VPN providers now offer such an app for mobile devices. If you cannot find theirs on their page, check the iTunes store or the Google Play store to see if they have one available, but check the publisher to make sure it is your VPN company.
VPNs offer protection, but they cannot protect against operating system issues. Make sure that any patches for your operating systems, including your mobile operating systems, are applied and that you have the latest release installed on your device, and be aware of the risks involved with any network that you hook up to.