The Computer Emergency Response Team of India (CERT-In) has cautioned users of a ‘critical flaw’ in Android’s (virtual private network) VPN implementation, mainly affecting v4.3 Jelly Bean and the latest v4.4 KitKat. According to the Internet security sleuths, the flaw could allow an attacker to ‘hijack’ personal data of users.
“A critical flaw has been reported in Android’s Virtual Private Network (VPN) implementation, affecting Android version 4.3 and 4.4 which could allow an attacker to bypass active VPN configuration to redirect secure VPN communications to a third party server or disclose or hijack unencrypted communications,” the Computer Emergency Response Team of India (CERT-In) said in a latest advisory to users of this network.
VPN technology enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, but with the functionality, security and management policies of the private networks.
According to the CERT-In, the flaw can be used to redirect the VPN traffic “to a different network address” and that its exploitation “could allow attackers to capture entire communication originating from affected device.”
“It is noted that not all applications are encrypting their network communication. Still there is a possibility that attacker could possibly capture sensitive information from the affected device in plain text like email addresses, IMEI number, SMSes, installed applications,” the advisory said.
Cyber experts, however, added this flaw could only lead to capture and viewing the data which is in plain text and Android applications directly connecting to the server using SSL and websites that use ‘https’ in their URL will not be affected.
“Apply appropriate updates from original equipment manufacturer, do not download and install application from untrusted sources, maintain updated mobile security solution or mobile anti-virus solutions on the device, exercise caution while visiting trusted or untrusted URLs and do not click on the URLs received via SMS or email unexpectedly from trusted or received from untrusted users” are some of the countermeasures suggested by the CERT-In to tackle the threat.
Source: ZeeNews