CERT-In cautions users of critical VPN flaw in Android Jelly Bean and KitKat

By Kul Bhushan | Published on 03 Mar 2014
HIGHLIGHTS
  • Are you using your Android's VPN to access your enterprise network? Here's a heads up from the CERT-In.

CERT-In cautions users of critical VPN flaw in Android Jelly Bean and KitKat

The Computer Emergency Response Team of India (CERT-In) has cautioned users of a 'critical flaw' in Android's (virtual private network) VPN implementation, mainly affecting v4.3 Jelly Bean and the latest v4.4 KitKat. According to the Internet security sleuths, the flaw could allow an attacker to 'hijack' personal data of users.

"A critical flaw has been reported in Android's Virtual Private Network (VPN) implementation, affecting Android version 4.3 and 4.4 which could allow an attacker to bypass active VPN configuration to redirect secure VPN communications to a third party server or disclose or hijack unencrypted communications," the Computer Emergency Response Team of India (CERT-In) said in a latest advisory to users of this network.

VPN technology enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, but with the functionality, security and management policies of the private networks.

According to the CERT-In, the flaw can be used to redirect the VPN traffic "to a different network address" and that its exploitation "could allow attackers to capture entire communication originating from affected device."

"It is noted that not all applications are encrypting their network communication. Still there is a possibility that attacker could possibly capture sensitive information from the affected device in plain text like email addresses, IMEI number, SMSes, installed applications," the advisory said.

Cyber experts, however, added this flaw could only lead to capture and viewing the data which is in plain text and Android applications directly connecting to the server using SSL and websites that use 'https' in their URL will not be affected.

"Apply appropriate updates from original equipment manufacturer, do not download and install application from untrusted sources, maintain updated mobile security solution or mobile anti-virus solutions on the device, exercise caution while visiting trusted or untrusted URLs and do not click on the URLs received via SMS or email unexpectedly from trusted or received from untrusted users" are some of the countermeasures suggested by the CERT-In to tackle the threat.

Source: ZeeNews

logo
Kul Bhushan

email

Advertisements

Trending Articles

Advertisements

LATEST ARTICLES View All

Advertisements

Hot Deals View All

Samsung Galaxy M21 (Midnight Blue, 4GB RAM, 64GB Storage)
Samsung Galaxy M21 (Midnight Blue, 4GB RAM, 64GB Storage)
₹ 12999 | $hotDeals->merchant_name
Samsung Galaxy M31 (Space Black, 6GB RAM, 64GB Storage)
Samsung Galaxy M31 (Space Black, 6GB RAM, 64GB Storage)
₹ 15999 | $hotDeals->merchant_name
Redmi 9 Power (Electric Green, 4GB RAM, 64GB Storage) - 6000mAh Battery | 48MP Quad Camera
Redmi 9 Power (Electric Green, 4GB RAM, 64GB Storage) - 6000mAh Battery | 48MP Quad Camera
₹ 10499 | $hotDeals->merchant_name
Redmi Note 9 Pro Max Interstellar Black 6GB|64GB
Redmi Note 9 Pro Max Interstellar Black 6GB|64GB
₹ 14999 | $hotDeals->merchant_name
Realme 7 Pro Mirror Silver 6GB |128GB
Realme 7 Pro Mirror Silver 6GB |128GB
₹ 19999 | $hotDeals->merchant_name
DMCA.com Protection Status