Mobile VPNs: Battered but not broken

With weaknesses exposed in mobile VPNs in recent months, we examine if they are safe for companies to deploy

Security chiefs would be forgiven for worrying about their virtual private networks (VPNs), especially those sitting on employee-owned mobiles.

Edward Snowden leaks revealed that GCHQ and its intelligence partners were giving plenty of man hours to break various VPN products. The NSA’s XKeyScore tool was said to have VPN-cracking capabilities, but few details were disclosed.

Weaknesses in mobile VPNs have been highlighted in recent months too. One concerned Android devices, which could have been exploited to view information in clear text when it was supposed to have been sent over encrypted VPN lines. The exploit, which cannot be fully revealed until patches have been widely rolled out, saw communications diverted to a server of the attacker’s choosing.

Researchers from the Cyber Security Labs of Ben Gurion University created a malicious app that took advantage of the flaw to scoop up email being sent over SMTP, getting hold of data before it was encrypted and passing it on to their own machines.  

The good news is that Google has confirmed a patch, which is now being passed on to device manufacturers. It should cover off the problem in both Jelly Bean 4.3 and KitKat 4.4 – the two versions the Israeli researchers probed.

The bad news is that the fix will likely take another few months before phones are actually patched, as Google’s hardware partners tend to take their time on such matters.

“It will take several months before these things are protected,” says Dudu Mimran, chief technology officer of Cyber Security Labs, which reported Google’s patch at the end of February. “But there is a fix and that is the important thing. We’ve done our job.”

Good operational security means a safe VPN

Despite this scare, companies need not view mobile VPNs as an isolated issue. Looking at the Android exploit, other basic protections could have prevented any data theft. As the Ben Gurion team noted, SSL/TLS traffic remained encrypted and not in clear text, meaning that layer of protection would have likely kept out any prying eyes.

Restrict apps installed on the device, make sure the device has a good password and the filesystem is encrypted

Rob Miller, MWR InfoSecurity

Whilst not every action carried out on a victim’s phone would be protected by SSL, the admission by the researchers makes something clear: no firm should be relying solely on a VPN to protect all data going in and out of their network from mobiles. If a phone is compromised, then any malicious applications sitting on it would be a concern.

“VPNs are as safe to use on a phone as they are from a PC,” says Rob Miller, consultant at MWR InfoSecurity. “If the device is compromised then the VPN connection could also be compromised.

“All applications on the device can use the VPN connection, [so] if you connect to a corporate VPN then any app can send and receive data through the VPN to your corporate network.”

Rudimentary security remains pertinent here. End point protections that have the ability to pick up on anomalies, rather than just use signatures like basic anti-virus, will help catch rogue apps doing odd things on user devices.

But more constraints will be needed to prevent sophisticated VPN bypasses.

“Restrict apps installed on the device, make sure the device has a good password and the filesystem is encrypted. Don’t use old Android devices with known vulnerabilities,” Miller adds.

As the Android issue was partly an application layer threat, a mobile device management product to containerise apps will help ensure critical data is kept separate too. A solid bring your own device (BYOD) policy, containing all of the above, should keep IT on top of what machines are transmitting data in and out of the organisation, determining where risk is present.

Guarding against complacency

The most positive thing to emerge from all the recent interest in VPN hacking is the software and the protocols used in the products appear to remain secure. The Snowden revelations showed even the most adept intelligence agents in Cheltenham were struggling to break the encryption VPNs use.

The Android attacks were not directly compromising VPN software either, but rather an underlying flaw in the way the Google operating system handled the connections, and it required a malicious application to be planted on the device in the first place.

Given there’s a very low chance of even encountering mobile malware – just 5% in the UK, according to Lookout Mobile Security’s latest threat report – it is clear few would be compromised by such attacks.

That is not to say security officers should be complacent. Current trends point to more targeted attacks on mobiles, compared to the Windows landscape where attackers simply try to compromise as many machines as possible.

That means CISOs would be wise to keep abreast of what workers are using mobile devices for and how they might be targeted as an individual.

VPN providers could do IT teams a favour too, allaying fears sparked by the Snowden controversy, of both vendor collusion with the intelligence agencies and of concerted hacking efforts by nation states of commonly-used products.

“Many of the security VPN suppliers will need to up their game regarding security research and vulnerability response so that as the inevitable flaws are found and patched in a timely manner,” says Thom Langford, director of the global security office at consultancy Sapient.

Many of the security VPN suppliers will need to up their game regarding security research and vulnerability responses

Thom Langford, Sapient

“Our VPN providers should be providing clear statements as to if they have voluntarily opened up back doors for NSA/GCHQ.”

If worried about the quality of a VPN or questioning faith in a supplier, it might be time for security managers to consider a switch anyway.

“Look at their technology and its usefulness to your organisation and select the supplier with the best reputation/cost – there is enough choice,” says Bob Tarzey, security analyst at Quocirca.

And that is advice that goes for every piece of a company’s IT jigsaw.

“As for security agencies trying to hack them, I am sure they have a crack at all technology,” he adds. “Some security is better is than none. An organisation with no security is the easiest target, whatever the platform or network.”

Read more on Network security strategy