IT NEWS

If you’re looking to sell an item which you’ve advertised online, be on your guard. Even when everything looks to be working as it should, things can go wrong very quickly as one unfortunate IT graduate recently discovered. You would think that there’s no way the in-person sale of an expensive device, with money exchanging digitally on your own doorstep, could possibly go wrong. And yet…

Fake apps, real items

Chris Gray of Howdon possesses an IT degree, and considers himself to be tech-savvy. Sometimes having a preconceived idea of what a scam may look like can contribute to being caught off-guard by something completely out of left field. In this case, the scam involved the sale of an expensive mobile device which had been listed online.

The buyer appeared at Gray’s home and agreed to pay a bank transfer using a mobile app in front of Gray. Gray says the app appeared to display the agreed sum being sent to his bank account. When the money still hadn’t arrived after 20 minutes, Gray did a quick Google and, seeing it could “up to 2 hours” for the transaction to show up, sent the buyer on his way. The buyer left with the phone, and Gray was left with nothing. No money ever turned up in his bank account.

There was no reversing of the funds, no claim backs. So what happened?

Gray believes the scammer was using a fake mobile app designed to look like it was processing a bank transfer. No matter which details were punched in, it would have looked as though a transaction was taking place. In reality, it seems it was all just a very clever front to part someone from their mobile device. This tale ends with Gray being blocked on social media by the phone thief, their only other point of contact.

The continued problem of fake payment apps

This isn’t the first time this has happened, and law enforcement is definitely taking an interest in these fake app payment scams.

Just last month, West Yorkshire police warned about this exact type of fraud. Following a similar pattern to the above, targets are usually selling items on social media when the criminals make their move. From the release:

“When a meeting takes place to hand over the item being sold, the victim puts their bank details into a fake app on the criminal’s phone. It then produces a screen which makes it appear that the money has been successfully transferred.

But when the victim then checks their account, they find that the funds haven’t actually transferred. 

The criminal then pretends to call his bank saying that it takes up to two hours for the funds to show. But the money is never received by the victim.”

There’s that two hour window warning again! We don’t know if these dubious purchase attempts are from the same person, different groups of people, or if it’s some sort of group dedicated to going up and down the UK making bogus purchases. One thing is for certain, this makes the prospect of social media selling a bit riskier than it already is.

How to avoid selling to a scammer

People will often sell items away from sites such as eBay for various reasons, but when doing so they’re at the mercy of people who may not have the best intentions. Here are some of the ways you can keep yourself safe from harm, courtesy of West Yorkshire Police:

• Accept that selling away from more traditional online marketplaces means you won’t have any backup protection in place as a buyer or a seller. No third party will come to your assistance if you’re making deals on Twitter.

• If you agree to make a payment transfer via a buyer’s “app”, feel free to ask them in advance of them coming to your home about the app’s name and other details. If it’s something you’re unfamiliar with, Google it. Check if you need an account on the supposed app to be able to receive money in the first place.

• Don’t feel pressured to accept a payment. Rush tactics are very common in scams, whether online or off. This scam grants the criminal a little more leeway under the guise of “payments taking up to 2 hours”.

• Contact your bank once a payment has supposedly been made prior to handing over any goods, and see if there is indeed a payment pending.

• Use an app of your choosing to receive money. It may not be prudent to have the supposed buyer make the call where this is concerned. If you’re using recognised payment services, you’ll likely have some measure of additional protection if things go wrong down the line.

• Don’t hand anything over until the money is in your bank account or payment app.

Stay safe out there!

Dutch police and other law enforcement agencies have managed to trick the DeadBolt ransomware operators into releasing 150 decryption keys for free. 

The method of obtaining decryption keys was found by a Dutch incident response company called Responders.NU, who shared the method with the police. The basis for the trick iss that it was possible to cancel an unconfirmed Bitcoin transaction before payment went through through, but after the decryption key was released.

Because of the large amount of Bitcoin transactions taking place at one time, it can take a while for payment to actually go through. That gave police enough time to block the transactions from going through before the payment actually took place. By then they’d already received the decryption key and could pass it on to the victims. They managed to repeat the process around 150 times before the ransomware gang pulled the plug on their system that gave out the decryption keys.

Deadbolt

DeadBolt is a ransomware that specializes in encrypting online network attached storage (NAS) devices. Owners of QNAP  (Quality Network Appliance Provider) devices have recently been the target of this ransomware operator. QNAP and DeadBolt have history. In January 2022, news broke that a ransomware group was targeting QNAP Network Attached Storage (NAS) devices. As a countermeasure, QNAP pushed out an automatic, forced, update with firmware containing the latest security updates to protect against the attackers’ DeadBolt ransomware, which annoyed part of its userbase.

More recently, QNAP detected that cybercriminals known as DeadBolt were exploiting a Photo Station vulnerability in order to encrypt QNAP NAS systems that were directly connected to the internet. This DeadBolt campaign also targeted Asustor users. According to the police there are around 20,000 affected devices worldwide. Each of them received instructions to pay 0.05 Bitcoin (around $1000 at the time of writing) to get a decryption key for their files.

Decryption keys

The police wanted to emphasize that it is always important to file a complaint about cybercrime, even though the chances of apprehending the cybercriminals may seem slim. So they started by helping victims, from 13 countries, who had filed a complaint with their local police.

Most of the victims who they helped should have received instructions on how to access their personal decryption key by now.

If you have not been notified by the police but you still want to check if you are one of the lucky ones, you can follow the instructions on the site deadbolt.responders.nu and find out if your decryption key is available.

Mitigation

It is important to file a complaint if you are a victim of a cybercrime. Not only does it give law enforcement agencies a better understanding of what’s going on and how widespread a campaign is, it also provides them with information that may help them apprehend the criminals or recover your data or money.

To avoid falling victim to the DeadBolt ransomware, the obvious advice is to not connect your NAS directly to the internet, but we understand that that ruins the whole purpose of a NAS for some users.

Make sure that the firmware of your device and all the software running on it is up to date. These criminals will not only find new vulnerabilities, but also use old ones that have not yet been patched.

To enhance the security of your NAS, QNAP recommends users use the myQNAPcloud Link feature provided by QNAP, or enable the VPN service. Or you can use another VPN of your choice.

The Apache Software Foundation has acknowledged a vulnerability in Apache Commons Text, a library focused on algorithms for string manipulation.

The vulnerability has been assigned CVE-2022- 42889, but security researchers have dubbed it Log4Text. The name provides an immediate association with Log4Shell which had quite the impact and ranked #1 in the CISA top 5 most routinely exploited vulnerabilities of 2021.

Apache Commons Text is a library that focuses on algorithms for string manipulation, which means it is used for various text operations, such as escaping, calculating string differences, and substituting placeholders in the text with values looked up through interpolators.

The problems lies in those interpolators. You can compare these interpolators to environmental variables. When called, an interpolator will return the value of that variable, and in order to do that they sometimes have to execute commands.

Vulnerability

The full description of the vulnerability is:

“Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is ${prefix:name}, where “prefix” is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: – “script” – execute expressions using the JVM script execution engine (javax.script) – “dns” – resolve dns records – “url” – load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used.”

Quickly summarized, this means an attacker with a successful exploit could extract information from the memory, set up internet connections, and execute arbitrary commands.

Similarities

Log4Shell and Log4Text are both vulnerabilities in widely used Apache libraries and they do have some things in common, so it’s understandable that people are worried.

Both of the vulnerabilities rely on un-sanitized input, which means that the input provided by users is not checked, cleaned, and filtered before it reaches the application.

The possible implications of a successful exploit are very similar to those of Log4Shell. Both of the vulnerabilities are found in a widely used Apache library and both depend on variable substitution, which look for patterns like ${something}, and replace them with other pieces of information.

The difference

The big difference lies in the use-case for the two Apache libraries. Apache Commons Text is specifically designed for this kind of text manipulation while Log4j was built for logging only. This also has implications for where the libraries are used. IT and security folk want to log as much as they can, so Log4j shows up in more online applications than we would ever expect Apache Commons Text to.

It also means that the interpolators are used in a library where they are expected and they’ll usually be there on purpose. It also limits the options that it provides an attacker. Where Log4Shell was very easy to exploit, Log4Text requires a lot more effort and advanced knowledge of the target to be successfully exploited.

Mitigation

Users should upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

Make sure that user input gets sanitized before it reaches your application, service, or server. This will also help to prevent abuse as a result of vulnerabilities that haven’t been found or published yet.

Thermal imaging cameras detect heat energy, a helpful tool for engineers when hunting for thermal insulation gaps in buildings. But did you know that such devices can now aid in password theft?

Because these devices are sold a lot cheaper than they used to, pretty much anyone can get their hands on them. And anyone with a thermal imaging device could be a potential password thief.

Researchers from the University of Glasgow’s School of Computing Sciences have developed a system, ThermoSecure, in order to demonstrate how these thermal imaging cameras can be used for “thermal attacks.”

In their paper, ThermoSecure: Investigating the effectiveness of AI-driven thermal attacks on commonly used computer keyboards, Dr. Mohamed Khamis, who led the development of ThermoSecure, Dr. John Williamson, and Norah Alotaibi, the authoring team, said: “Thermal cameras, unlike regular cameras, can reveal information without requiring the attacker to interact with the targeted victim, be present during the authentication attempt, or plant any tool that can be linked to the attacker which could potentially exposing [sic] them. Such information includes heat residues left by the user during authentication, which can be retrieved using thermal cameras.”

“Having acquired a thermal image of a keyboard or touchscreen after authentication, the attacker can then analyze the heat map and exploit it to uncover the entire password or pattern.”

Bright areas in a thermal image are heat imprints, indicating these were recently touched. While these are enough for the AI to determine someone’s password, two factors affect its accuracy level: (1) the password length and (2) heat trace age, or the time after authentication.

ThermoSecure perfectly guessed all 6-character passwords in the test, and successfully revealed 12-character passwords with 82% accuracy and 16-character passwords with 67% accuracy. 

As for heat trace age, on average, ThermoSecure successfully revealed passwords with 86 percent, 76 percent, and 62 percent accuracy when the image was taken 20 seconds, 30 seconds, and 60 seconds after authentication, respectively. The longer the heat trace age, the less accurate the AI was in guessing passwords.

“It’s important that computer security research keeps pace with these developments to find new ways to mitigate risk, and we will continue to develop our technology to try to stay one step ahead of attackers,” said Dr. Khamis in an interview with ZDNet.

He also advised how you can protect yourself from thermal attacks: Use strong passwords and, if possible, use biometric verification for added protection.

“Users can help make their devices and keyboards more secure by adopting alternative authentication methods, like fingerprint or facial recognition, which mitigate many of the risks of thermal attack.”

The agriculture sector has been under fire from digital attacks for some time now. The primary problem so far has been ransomware, and law enforcement recently warned that malware authors may be gearing up to time their attacks in this sector for maximum damage. The FBI highlighted that attacks occurred throughout both 2021 and 2022, including outbreaks of ransomware at multi-state grain companies. Conti, Suncrypt, BlackByte, and more also put in appearances at several grain cooperatives.

And now another issue for the agricultute sector: Sophisticated scams involving fake tractors and sale portals have cost certain businesses $1.2 million in the space of a month. Worryingly, the Australian Competition and Consumer Commission claims this is an increase of 20% versus the same period of time a year earlier.

From fake ad to fake tractor

As with so many internet scams, it begins with fake online adverts. These take the form of both fake websites and bogus ads placed on genuine advertising platforms. This Age article highlights some of the techniques used to reinforce the legitimacy of the ads, which includes:

• Mock sale contracts. Fake documentation and identification is often the stomping ground for 419 and social engineering scams, so it makes sense it would put in an appearance here.
• Listing ABNs on bogus websites. This is a way of making things look legitimate. An ABN entry is how you confirm a business is genuine, or at least exists. A valid record will display as active, next to the business name, type, and location. You can also click through and see additional data regarding trading names, active status, goods and services, and more. Scammers are likely including genuine business names in their ads without the actual owner knowing about it. This is going to cause reputational damage down the line.
• Free trials after deposits are made. Making an offer sound better than it really is works where most scams are concerned. As the article notes, excuses will be made as to why in-person inspections can’t be arranged and any upfront payment should be treated with suspicion.

Don’t trade in your cash for a non-existent model

While these attacks are being flagged in Australia, the reality is that this kind of thing can happen anywhere. If you’re involved in agriculture, here are some of the ways you can avoid this from happening to you:

• Inspect your purchase via video call or in person. If this isn’t possible, ask why.

• Don’t pay anything upfront, especially if the seller claims it’s being done through an “escrow” service of some kind. Most likely it’s just something being operated by the scammer. Worth noting that they’re typically asking for 10-20% deposits, which could be a lot of money considering tractors are involved.

• If the machinery you’re buying is below the market price in a way which makes you think it’s too good to be true, then it probably is.

• Check with businesses supposedly close to the seller’s location and see if any of them know about the individual or business wanting to sell you something.

• Counties often have a list or business register similar to Australia’s ABN. The UK has Companies House, where you can see businesses registered for tax purposes. There are several routes to go down if you’re in the US. None of this is a guarantee of legitimacy with regard to the entity you’re dealing with. It’s possible they may be misusing the name of a genuine business, so use publicly available information to contact that business directly and see if everything is on the level.

Stay safe out there!

Europol has disclosed an international operation in which 31 suspects were arrested, 22 locations were searched, and over one million Euros in criminal assets were seized. The organized criminal gang specialized in stealing French keyless cars.

Among the arrested were the software developers that created so-called automotive diagnostic solutions which allowed the criminals to replace the original software of the vehicles, allowing the doors to be opened and the ignition to be started without the actual key fob. Others include the software resellers and the actual car thieves who used the tool to steal vehicles.

The arrests were made by French, Latvian, and Spanish law enforcement agencies with the assistance of Europol. Europol said it’s supported the investigation since March 2022 by providing extensive analysis and the dissemination of intelligence packages to each of the affected countries.

Suspects

The fraudulent software duplicated the vehicles’ ignition keys in order to aid in the theft of the car. Marketed as an automotive diagnostic solution, the tool was able to replace the original software of the targeted vehicles without respecting the protocol and without the original key.

Details about the method the car thieves used are sparse (for understandable reasons), but what we could gather is that the developers ran a website—on a domain that has been seized—where they sold a package that included a tablet, connectors, and software. The software was constantly adapted and updated to counteract the measures implemented by companies to reinforce the security of their vehicles.

Stealing keyless cars

Europol said the gang focused on cars from two unnamed French car manufacturers, which probably means the developers found a vulnerability in the car’s firmware that allowed them to replace the original software.

Vulnerabilities in the keyless entry systems have been found in the firmware of other car manufactures. To thwart intercepting and replaying authentication codes, many modern cars rely on a rolling codes mechanism. This method was introduced to prevent replay attacks by providing a new code for each authentication of a remote keyless entry. But this method is not available for all brands and models, and some brands were found to be using predictable codes.

The Europol and Eurojust statements both say that the tools provided by the developers enabled criminals to replace the original software of the targeted vehicles. This indicates a very different methodology from intercepting and replaying authentication codes.

Mitigation

Now that law enforcement has found and disabled the source of the software it shouldn’t take too long to find out which method was used, and the car manufacturers should be able to make the necessary adjustments.

Updating your car’s firmware is usually not an easy job or one we recommend doing yourself. We would recommend checking with your local dealer whether one is available and needed. It usually requires a special device to be hooked up to a port hidden under your dashboard. Your dealer will have such a device and knows where to find the port.

Earlier this month, security researchers from Meta found 400 malicious Android and iOS apps designed to steal user Facebook login credentials.

Such mobile malware, which Malwarebytes detects typically as Android/Trojan.Spy.Facestealer, usually arrives as an app disguised as a useful or entertaining tool. But before the app can be fully used, it asks users to login to their accounts, at which point their usernames and passwords are sent to the fraudsters.

Stolen credentials can be used to compromise Facebook accounts. From there, the criminals can harvest more data about the original account owner, message friends or family members and scam them, or use these accounts to promote the FaceStealer app (among other things).

Meta listed a short description of FaceStealer apps listed on both the Google Play Store and the Apple App Store:

• Photo editors, including those that claim to allow you to “turn yourself into a cartoon”
• VPNs claiming to boost browsing speed or grant access to blocked content or websites
• Phone utilities such as flashlight apps that claim to brighten your phone’s flashlight
• Mobile games falsely promising high-quality 3D graphics
• Health and lifestyle apps such as horoscopes and fitness trackers
• Business and ad management apps claiming to provide hidden or unauthorized features not found in official apps by tech platforms.

If the apps appear to have positive reviews, that’s because the developers are thought to be creating five-star reviews to bury the negative ones. This is a known social engineering tactic to entice users further to try an app.

FaceStealer has been around for a while. The apps disappear after making headlines, and then FaceStealer pops up again as a different app. And while some apps are reported or actively detected, many evade detection and end up on legitimate app stores.

“The industry, in general, has not been great at detecting these, and everyone is playing catch-up,” said Nathan Collier, Malwarebytes Senior Malware Intelligence Analyst for Android.

Meta said it is alerting Facebook users who may have inadvertently “self-compromised” themselves by using their Facebook credentials to use the malicious apps.

If you think you’ve entereed your Facebook credentials into a dodgy app, change your password immediately. Don’t reuse passwords you use on other accounts, and make sure you enable two-factor authentication (2FA) on your Facebook account. You can also let Facebook alert you of attempted log-ins to your account.

Finally, report all suspicious apps using Meta’s Data Abuse Bounty program.

Unfortunately, scams are a fact of life online. The virtual ties that bind us are international now: Our public telephone numbers, social media accounts, email addresses, messaging apps, dating profiles, and even our physical mailboxes, can all be reached by any criminal and con artist from anywhere in the world.

And test us they do, with everything from the preposterous offers of “Nigerian princes” to the slow boiling intimacy of long-term, long-distance romances.

There is a lot of good advice around (and plenty of it on this website) to help you understand which scams are popular right, how they work, and how to spot them.

Though undoubtedly useful, the advice is often specific to a single campaign or type of scam: Watch out for fake DHL emails; Beware of SMS messages from the Royal Mail; Don’t open invoices from unknown senders; Check the spelling and links in emails; Reverse image search too-good-to-be-true dating profile pics, and so on.

Being specific, the advice is narrow. SMS scams are not the same as email scams, and neither has much in common with a romance scam. There is a lot to remember.

So today I’m going to offer you something different. I want to give you the most general advice I can—a template that can be applied to almost any scam, over any media, on any time scale, whether it’s a new scam or something tried and tested.

It doesn’t make the other advice redundant, it’s just another way to look at things.

The advice comes from perhaps the most famous conman in the world, Frank Abagnale, whose alleged exploits were made famous by Leonardo DeCaprio in the movie “Catch me if you can”. Abagnale’s account of his own backstory is either true, partially true, or a total fabrication, depending on who you ask. What isn’t in doubt is that he knows a thing or two about lying to get what he wants.

In 2019 he gave an interview to CNBC in which he gives perhaps the best generalised advice about scams I’ve ever heard, and which I will repeat here.

In every scam no matter how sophisticated or how amateur, there are two red flags.

These are Abagnale’s red flags:

An urgent need for money

The end goal of all scams is to enrich the scammer. And that often involves a direct transfer of money, whether it’s entering credit card details into a fake website or wiring tens of thousands of dollars to a stranded lover.

The demand for money is almost always urgent. Scammers know that their requests don’t stack up, so they want you to rush, and they don’t want you to involve other people.

In a romance scam where the criminal hopes to make the victim fall in love with them, the scammer may take their time to begin. However, when the demand for money comes, it is likely to be urgent.

On a recent Lock and Code podcast, Cindy Liebes, Chief Cybersecurity Evangelist for the Cybercrime Support Network, spelled out just how patient these scammers can be:

“It can take months, it can take years, but invariably they will seek to get money.”

In other situations, such as business email compromise (BEC) scams, the urgency is immediate.

In a BEC scam an attacker spoofs the email account of a senior employee, such as a CEO, and tries to get a more junior employee to send them some of the company’s money.

Requests often come with a deadline and a demand for secrecy. The “CEO” concocts a story with one or more emails, messages or phone calls about needing help with an urgent, confidential deal. The scammer wants to isolate the employee from the company’s checks and balances, and their own common sense.

Underpinning it all is Abagnale’s first red flag: An urgent need for money.

Sometimes victims aren’t told to act urgently, they just want to. A few months ago we covered an Instagram scam in which victims thought they’d stumbled upon a website where they could see naked pictures of an attractive friend.

The urgency here came from the viewer’s desire to act on a sexual impulse, and is reinforced by language like “LIMITED SLOTS ONLY, DON’T MISS OUT” and “What are you waiting for?”

The small print even explained the scam in plain terms—victims were being signed up for a premium rate subscription service—but the scammers were betting that victims would be in too much of a hurry to read it.

Asking for personal information

Abagnale’s second red flag is being asked for personal information. Personal information helps the scammer pretend to be you.

Sometimes it’s as simple as stealing your username and password with a fake website, so they can log in as you on the real website.

But it can also be very subtle. In his book The Art of Deception, infamous social engineer Kevin Mitnick describes how he would sometimes make several phone calls to build up the information he needed for a scam.

Each call would capture small details that improved his credibility for the next one. For example, one of Mitnick’s most famous crimes is stealing the source code for a popular Motorola phone in the early 1990s, an attack he described to Vice in 2019.

The attack began with a call to the main Motorola reception, which sent him back-and-forth on several more calls in which he learned the phone number of the VP of Motorola mobility, and that the company had a research centre in Arlington Heights.

This information allowed him to call the VP and credibly introduce himself as “Rick, over in Arlington Heights”, which was enough to convince them to give him the name and phone number of the phone’s project manager.

Mitnick then called the project manager and learned from her voicemail that she was on holiday, and who to contact while she was away. He called the project manager’s stand-in and convinced her that the project manager had not fulfilled a promise to send him the source code before she left on holiday.

Most of the conversations did not ask for enough sensitive information to alert the people he was talking to, but every one of them contained a request for something personal or privileged. Of course, when he finally asked for the source code, he was making a request for hugely privileged information, but he was able to create a plausible enough persona to pull it off.

In fact, the last victim was so convinced of “Rick”’s authenticity that she persuaded a security manager to hand over a username and password for the company’s proxy server, on his behalf.

Thankfully, most of us aren’t faced with a hacker as skilled as Mitnick, and few of us would be able to stop him if we were. Most cons are simpler, more direct versions of the same basic idea.

And that brings me to my final point.

Many scammers are professional criminals and scams are common because they work. It makes sense to prepare yourself as thoroughly as you can to spot them, but we all fall short sometimes. There is no shame in falling for a scam, and it isn’t your fault if you do.

Last week on Malwarebytes Labs:

• Teen talk: What it’s like to grow up online, and the role of parents: Lock and Code S03E21
• White House unveils Blueprint for an AI Bill of Rights
• Credential stuffers take aim at Final Fantasy XIV players
• Meta accuses apps of stealing WhatsApp accounts
• Smart lights vulnerable to “blink and you’ll miss it” attack
• Court rules webcam monitoring of remote employee was an invasion of privacy
• Security awareness campaign highlights things your bank will never say
• An 18 year scam odyssey of stranded astronauts
• Top 5 ransomware detection techniques: Pros and cons of each
• Update now! October patch Tuesday fixes actively used zero-day…but not the one you expected
• UK government sounds alarm on tax scams
• Android and Chrome start showing passwords the door
• Chinese APT’s favorite vulnerabilities revealed
• Only half of teens agree they “feel supported online” by parents
• Android and iOS leak some data outside VPNs
• FBI, CISA warn of disinformation ahead of midterms
• Introducing Malwarebytes Managed Detection and Response (MDR)

Stay safe!

Virtual Private Networks (VPNs) on Android and iOS are in the news. It’s been discovered that in certain circumstances, some of your traffic is leaked so it ends up outside of the safety cordon created by the VPN.

Mullvad, the discoverers of this Android “feature” say that it has the potential to cause someone to be de-anonymised (but only in rare cases as it requires a fair amount of skill on behalf of the snooper). At least one Google engineer claims that this isn’t a major concern, is intended functionality, and will continue as is for the time being.

MUL22-03

The Android discovery, currently named MUL22-03, is not the VPN’s fault. The transmission of data outside of the VPN is something which happens quite deliberately, to all brands of VPN, and not as the result of some sort of terrible hack or exploit. Although the full audit report has not yet been released, the information available so far may be worrying for some. According to the report, Android sends “connectivity checks” (traffic that determines if a connection has been made successfully) outside of whichever VPN tunnel you happen to have in place.

Perhaps confusingly, this also occurs whether or not you have “Block connections without VPN” or even “Always on VPN” switched on, which is (supposed) to do what you’d expect given the name. It’s quite reasonable to assume a setting which says one thing will not in fact do the opposite of that thing, so what is going on here?

The leakage arises as a result of certain special edge case scenarios, in which case Android will override the various “Do not do this without a VPN” settings. This would happen, for example, with something like a captive portal. A captive portal is something you typically access when joining a network—something like a hotspot sign-in page stored on a gateway.

Why? Because VPNs run on top of whatever Internet-connected network you are on, so you have to join a network before you can establish your VPN connection. Anything that happens before you establish your VPN connection can’t be protected by it.

As per Bleeping Computer, this leakage can include DNS lookups, HTTPs traffic, IP addresses and (perhaps) NTP traffic (Network Time Protocol, a protocol for synchronising net-connected clocks).

Mullvad VPN first reported this a documentation issue, and then asked for a way to “…disable connectivity checks while ‘Block connections without VPN’ (from now on lockdown) is enabled for a VPN app.”

Google’s response, via its issue tracker was “We do not think such an option would be understandable by most users, so we don’t think there is a strong case for offering this.”

According to Google, disabling connectivity checks is a non-starter for four reasons: VPNs might actually be relying on them; “split channel” traffic that doesn’t ever use the VPN might be relying on them; it isn’t just connectivity checks that bypass the VPN anyway; and the data revealed by the connectivity checks is available elsewhere.

The rest is a back and forth debate on the pros and cons of this stance, which is still ongoing. At this point, Google is not budging.

iOS has entered the chat

It seems this isn’t something only confined to Android. There are similar things happening on iOS 16, with multiple Apple services claimed to be leaking outside of the VPN tunnel including maps, health, and wallet.

We confirm that iOS 16 does communicate with Apple services outside an active VPN tunnel. Worse, it leaks DNS requests. #Apple services that escape the VPN connection include Health, Maps, Wallet.
We used @ProtonVPN and #Wireshark. Details in the video:#CyberSecurity #Privacy pic.twitter.com/ReUmfa67ln

— Mysk 🇨🇦🇩🇪 (@mysk_co) October 12, 2022

According to Mysk, the traffic being sent to Apple isn’t insecure, it’s just going against what users expect.

All of the traffic that appeared in the video is either encrypted or double encrypted. The issue here is about wrong assumptions. The user assumes that when the VPN is on, ALL traffic is tunneled through the VPN. But iOS doesn’t tunnel everything. Android doesn’t either.

They suggest that one way forward to stop this from happening would be to treat VPN apps as browsers and “require a special approval and entitlement from Apple”.

There probably won’t be much movement on this issue until the release of the full report on MUL22-03, but for now the opinion from those involved in testing seems to be that the risk is small.