IT

GPS Interference Caused the FAA To Reroute Texas Air Traffic (arstechnica.com) 32

The Federal Aviation Administration is investigating the cause of mysterious GPS interference that, over the past few days, has closed one runway at the Dallas-Fort Worth International Airport and prompted some aircraft in the region to be rerouted to areas where signals were working properly. From a report: The interference first came to light on Monday afternoon when the FAA issued an advisory over ATIS (Automatic Terminal Information Service). It warned flight personnel and air traffic controllers of GPS interference over a 40-mile swath of airspace near the Dallas-Fort Worth airport. The advisory read in part: "ATTN ALL AIRCRAFT. GPS REPORTED UNRELIABLE WITHIN 40 NM OF DFW." An advisory issued around the same time by the Air Traffic Control System Command Center, meanwhile, reported the region was "experiencing GPS anomalies that are dramatically impacting" flights in and out of Dallas-Fort Worth and neighboring airports. It went on to say that some of the airports were relying on the use of navigation systems that predated GPS.
Microsoft

Microsoft Disputing Just How Big Its Customer Data Leak Was (protocol.com) 5

Microsoft says that an unspecified amount of customer data, including contact info and email content, was recently left exposed to potential access over the internet as a result of a server configuration error. From a report: Cybersecurity vendor SOCRadar, which reported the data leak to Microsoft, said in a blog post that data belonging to more than 65,000 companies was affected. Microsoft, however, said in its own post that SOCRadar "has greatly exaggerated the scope of this issue." Microsoft didn't disclose specifics around the number of companies whose data may have been exposed in the leak or the amount of data involved. The server misconfiguration was reported on Sept. 24, and the impacted server was "quickly secured" after that, according to Microsoft. Due to the configuration error, there was a potential that certain "business transaction data" could have been accessed without a need for authentication, Microsoft said. The data corresponds to "interactions between Microsoft and prospective customers," including around the planning and implementation of Microsoft services, the company said in its post.
IT

Pixel Watch Teardown Shows Off 'Ugly' Insides, Gives Strong First-Gen Vibes (arstechnica.com) 27

What secrets does the inside of the Pixel Watch hold? iFixit -- Google's new repair partner -- tore down Google's first self-branded smartwatch to see exactly how this thing was put together. From a report: Like us, iFixit came away with strong "first generation" vibes. The good news is that it does not look impossible to replace the display. The usual bit of heat and prying pops the top off, but the less-than-ideal layout means you'll have to remove the battery, too, since the connector is buried under the soft battery pouch. A display replacement is a real concern here, considering the entire top half of the watch is glass. If you bang the watch against something or drop it, there's a good chance you'll shatter the all-glass corners. [...] iFixit took a good amount of time in the four-minute video to call Google's internal construction "ugly." After cracking open the front, iFixit's Sam Goldheart noted, "Right away, it's obvious we're in Android country. The silver battery pouch and Kapton tape are almost a shock after all our Apple teardowns," later adding that the welds holding together the haptic feedback buzzer were "kind of ugly."
IT

USB-C Can Hit 120Gbps With Newly Published USB4 Version 2.0 Spec (arstechnica.com) 69

An anonymous reader shares a report: We've said it before, and we'll say it again: USB-C is confusing. A USB-C port or cable can support a range of speeds, power capabilities, and other features, depending on the specification used. Today, USB-C can support various data transfer rates, from 0.48Gbps (USB 2.0) all the way to 40Gbps (USB4, Thunderbolt 3, and Thunderbolt 4). Things are only about to intensify, as today the USB Implementers Forum (USB-IF) published the USB4 Version 2.0 spec. It adds optional support for 80Gbps bidirectional bandwidth as well as the optional ability to send or receive data at up to 120Gbps.

The USB-IF first gave us word of USB4 Version 2.0 in September, saying it would support a data transfer rate of up to 80Gbps in either direction (40Gbps per lane, four lanes total), thanks to a new physical layer architecture (PHY) based on PAM-3 signal encoding. For what it's worth, Intel also demoed Thunderbolt at 80Gbps but hasn't released an official spec yet. USB4 Version 2.0 offers a nice potential bump over the original USB4 spec, which introduced optional support for 40Gbps operation. You just have to be sure to check the spec sheets to know what sort of performance you're getting. Once USB4 Version 2.0 products come out, you'll be able to hit 80Gbps with USB-C passive cables that currently operate at 40Gbps, but you'll have to buy a new cable if you want a longer, active 80Gbps.

Security

Germany Fires Cybersecurity Chief 'Over Russia Ties' (bbc.com) 28

Germany's cybersecurity chief has been fired after allegations of being excessively close to Russia through an association he helped set up. The BBC reports: Arne Schonbohm had led the Federal Cyber Security Authority (BSI) -- charged with protecting government communications -- since 2016. German media have accused him of having had links with people involved with Russian intelligence services. The interior ministry is investigating allegations made against him. But it confirmed he had been fired with immediate effect.

Mr Schonbohm had come under scrutiny after his potential links to a Russian company through a previous role were highlighted by Jan Bohmermann, the host of one of Germany's most popular late-night TV shows. Before leading the BSI, Mr Schonbohm had helped set up and run the Cyber Security Council Germany, a private association which advises business and policymakers on cybersecurity issues. He is said to have maintained close ties to the association and attended their 10th anniversary celebrations in September. One of the association's members was a cybersecurity company called Protelion, which was a subsidiary of a Russian firm reportedly established by a former member of the KGB honored by President Vladimir Putin. Protelion was ejected from the association last weekend, and Cyber Security Council Germany says the allegations of links to Russian intelligence are untrue.

IT

DuckDuckGo's Privacy-Focused Mac Browser is Now Available for Public Beta Testing (theverge.com) 13

DuckDuckGo is rolling out its web browsing app for Mac users as an open beta test. Designed for privacy, the app was announced back in April as a closed beta, but is now available for all Mac users to try before its official public launch. From a report: The desktop browser includes the same built-in protections we've seen already featured in DuckDuckGo's mobile apps, combining DuckDuckGo's search engine, defenses against third-party tracking, cookie pop-up protection, and its popular one-click data clearing 'Fire Button.' Some additional features have been added to the browser (version 0.30) since its original announcement.

Now users can try Duck Player, a feature that protects users from targeted ads and cookies while watching YouTube content. Ads viewed within the Duck Player will not be personalized, which DuckDuckGo claims actually removed most YouTube ads as a result during testing. YouTube will still register your views, but content watched through Duck Player won't contribute to your YouTube advertising profile. Pinned tabs and a new bookmarks bar have been included to address feedback from early beta testing, as well as a way to view your locally stored browsing history. DuckDuckGo's Cookie Consent Pop-Up Manager is also available which works on about 50 percent of sites (with more to come) to automatically choose the most private option and spare users from the annoying pop-up messages. The app also lets you activate DuckDuckGo Email Protection on the desktop to better protect your inbox with email tracker blocking.

Security

Over 45,000 VMware ESXi Servers Just Reached End-of-Life (bleepingcomputer.com) 57

An anonymous reader quotes a report from BleepingComputer: Over 45,000 VMware ESXi servers inventoried by Lansweeper just reached end-of-life (EOL), with VMware no longer providing software and security updates unless companies purchase an extended support contract. Lansweeper develops asset management and discovery software that allows customers to track what hardware and software they are running on their network. As of October 15, 2022, VMware ESXi 6.5 and VMware ESXi 6.7 reached end-of-life and will only receive technical support but no security updates, putting the software at risk of vulnerabilities.

The company analyzed data from 6,000 customers and found 79,000 installed VMware ESXi servers. Of those servers, 36.5% (28,835) run version 6.7.0, released in April 2018, and 21.3% (16,830) are on version 6.5.0, released in November 2016. In total, there are 45,654 VMware ESXi servers reaching End of Life as of today. The findings of Lansweeper are alarming because apart from the 57% that enter a period of elevated risk, there are also another 15.8% installations that run even older versions, ranging from 3.5.0 to 5.5.0, which reached EOL quite some time ago.

In summary, right now, only about one out of four ESXi servers (26.4%) inventoried by Lansweeper are still supported and will continue to receive regular security updates until April 02, 2025. However, in reality, the number of VMware servers reaching EOL today, is likely far greater, as this report is based only on Lansweeper's customers. The technical guidance for ESXi 6.5 and 6.7 will carry on until November 15, 2023, but this concerns implementation issues, not including security risk mitigation. The only way to ensure you can continue to use older versions securely is to apply for the two-year extended support, which needs to be purchased separately. However, this does not include updates for third-party software packages. For more details about EOL dates on all VMware software products, check out this webpage.

Security

Former WSJ Reporter Says Law Firm Used Indian Hackers To Sabotage His Career (reuters.com) 25

An anonymous reader quotes a report from Reuters: A former Wall Street Journal reporter is accusing a major U.S. law firm of having used mercenary hackers to oust him from his job and ruin his reputation. In a lawsuit filed late Friday, Jay Solomon, the Journal's former chief foreign correspondent, said Philadelphia-based Dechert LLP worked with hackers from India to steal emails between him and one of his key sources, Iranian American aviation executive Farhad Azima. Solomon said the messages, which showed Azima floating the idea of the two of them going into business together, were put into a dossier and circulated in a successful effort to get him fired.

The lawsuit, filed in federal court in Washington, said Dechert "wrongfully disclosed this dossier first to Mr. Solomon's employer, the Wall Street Journal, at its Washington DC bureau, and then to other media outlets in an attempt to malign and discredit him." It said the campaign "effectively caused Mr. Solomon to be blackballed by the journalistic and publishing community." Dechert said in an email that it disputed the claim and would fight it in court.
The lawsuit is the latest in a series of legal actions related to hired hackers operating out of India, notes Reuters. "In June, Reuters reported on the activities of several hack-for-hire shops, including Delhi area-companies BellTroX and CyberRoot, that were involved in a decade-long series of espionage campaigns targeting thousands of people, including more than 1,000 lawyers at 108 different law firms."

Solomon said in a statement Saturday that the hack-and-leak he suffered was an example of "a trend that's becoming a great threat to journalism and media, as digital surveillance and hacking technologies become more sophisticated and pervasive. This is a major threat to the freedom of the press."
Technology

In Praise of FFmpeg (drewdevault.com) 81

Drew DeVault, prolific FOSS blogger and hacker behind SourceHut, Sway, wlroots, and many other projects, writes in a blog post: I have relied on ffmpeg for many tasks and for many years. It has always been there to handle any little multimedia-related task I might put it to for personal use -- re-encoding audio files so they fit on my phone, taking clips from videos to share, muxing fonts into mkv files, capturing video from my webcam, live streaming hacking sessions on my own platform, or anything else I can imagine. It formed the foundation of MediaCrush back in the day, where we used it to optimize multimedia files for efficient viewing on the web, back when that was more difficult than "just transcode it to a webm."

ffmpeg is notable for being one of the first large-scale FOSS projects to completely eradicate proprietary software in its niche. Virtually all multimedia-related companies rely on ffmpeg to do their heavy lifting. It took a complex problem and solved it, with free software. The book is now closed on multimedia: ffmpeg is the solution to almost all of your problems. And if it's not, you're more likely to patch ffmpeg than to develop something new. The code is accessible and the community are experts in your problem domain.

ffmpeg is one of the foremost pillars of achievement in free software. It has touched the lives of every reader, whether they know it or not. If you've ever watched TV, or gone to a movie, or watched videos online, or listened to a podcast, odds are that ffmpeg was involved in making it possible. It is one of the most well-executed and important software projects of all time.

Security

Visa, Mastercard Draw New Government Scrutiny Over Debit-Card Routing (wsj.com) 7

The Federal Trade Commission is investigating whether Visa and Mastercard's security tokens restrict debit-card routing competition on online payments, WSJ reported Monday, citing people familiar with the matter. From the report: The FTC for the past few years has already been probing whether Visa and Mastercard block merchants from routing payments over other debit-card networks. The networks acknowledged an FTC probe in regulatory filings in recent years. In recent months, the FTC expanded its focus to routing challenges that stem from the networks' security tokens, the people familiar with the matter said. It isn't clear if the investigation is a new probe or part of the previous one.

Visa and Mastercard are by far the two biggest card networks in the U.S., building and maintaining the plumbing that allows Americans to use credit and debit cards at stores and online. Their lion's share of that market has drawn increasing scrutiny from regulators and fueled tension with merchants, which pay fees set by the networks when a customer pays via card. A Justice Department investigation on whether Visa has unlawfully maintained a dominant market share in debit cards is ongoing, according to people familiar with the matter. Federal law requires that merchants have the ability to choose from at least two unaffiliated debit-card networks to route transactions. That is supposed to give merchants the option to send debit-card payments over the network that sets lower fees. In most cases, when a person stores a card in a digital wallet such as Apple Pay, the 16-digit card number gets replaced by a "security token" -- essentially a line of random numbers. The token is typically provided by the network listed on the card -- often Visa or Mastercard.

Encryption

Mark Zuckerberg Says WhatsApp 'Far More Private and Secure' than iMessage (facebook.com) 92

Mark Zuckerberg, writing in a Facebook post: WhatsApp is far more private and secure than iMessage, with end-to-end encryption that works across both iPhones and Android, including group chats. With WhatsApp you can also set all new chats to disappear with the tap of a button. And last year we introduced end-to-end encrypted backups too. All of which iMessage still doesn't have.
EU

Europe Plans to Launch a Quantum Encryption Satellite for Ultrasecure Communications in 2024 (space.com) 32

"Europe is aiming to launch a technology demonstration satellite for secure, quantum-encrypted communications in 2024," reports Space.com, "with a view to developing a larger constellation." The satellite, Eagle-1, will be the first space-based quantum key distribution (QKD) system for the European Union and could lead to an ultrasecure communications network for Europe, according to a statement from the European Space Agency (ESA).

Eagle-1 will spend three years in orbit testing the technologies needed for a new generation of secure communications. The satellite will demonstrate the "feasibility of quantum key distribution technology — which uses the principles of quantum mechanics to distribute encryption keys in such a way that any attempt to eavesdrop is immediately detected — within the EU using a satellite-based system," according to ESA...

"European security and sovereignty in a future world of quantum computing is critical to the success of Europe and its Member States," Steve Collar, CEO of SES, said in the statement. He added that the goal is "to advance quantum communications and develop the Eagle-1 system to support secure and sovereign European networks of the future."

SES will be leading a consortium of more than 20 European countries, according to the ESA's statement: Eagle-1 will demonstrate the feasibility of quantum key distribution technology — which uses the principles of quantum mechanics to distribute encryption keys in such a way that any attempt to eavesdrop is immediately detected — within the EU using a satellite-based system. To do so, the system will build on key technologies developed under ESA's Scylight programme, with the aim of validating vital components supplied within the EU....

It will allow the EU to prepare for a sovereign, autonomous cross-border quantum secure communications network.

The system will initially use an upgraded optical ground terminal from the German Aerospace Centre (DLR) alongside a new optical ground terminal to be developed by a team from the Netherlands. The Eagle-1 platform satellite from Italian company Sitael will carry a quantum-key payload built by Tesat Spacecom of Germany and will be operated by Luxembourg-headquartered SES.

Encryption

Microsoft Office 365 Vulnerability Could Allow Sidestepping of Email Encryption (venturebeat.com) 21

"A researcher from cloud and endpoint protection provider WithSecure has discovered an unpatchable flaw in Microsoft Office 365 Message Encryption," reports VentureBeat. "The flaw enables a hacker to infer the contents of encrypted messages." OME uses the electronic codebook (ECB) block cipher, which leaks structural information about the message. This means if an attacker obtains many emails they can infer the contents of the messages by analyzing the location and frequency of patterns in the messages and matching these to other emails. For enterprises, this highlights that just because your emails are encrypted, doesn't mean they're safe from threat actors. If someone steals your email archives or backups, and accesses your email server, they can use this technique to sidestep the encryption.

The discovery comes shortly after researchers discovered hackers were chaining two new zero-day Exchange exploits to target Microsoft Exchange servers.

WithSecure originally shared its discovery of the Office 365 vulnerability with Microsoft in January 2022. Microsoft acknowledged it and paid the researcher through its vulnerability reward program, but hasn't issued a fix.

Apple

Workers at a Second Apple Store Just Voted to Unionize (cnn.com) 51

"Apple workers in Oklahoma City have voted to form the second-ever labor union at one of the company's US stores," reports CNN, "in the latest sign that organizing efforts are gaining traction inside and outside the tech and retail industries." In a preliminary tally by the National Labor Relations Board on Friday evening, 56 workers, or 64% of those casting ballots at the Penn Square Mall Apple store, voted to be represented the Communication Workers of America, and 32 voted against it. Turnout was strong, with 88 of a potential 95 workers participating in the vote.

The union victory comes four months after Apple store workers in Towson, Maryland, made history by voting to form Apple's first US unionized location.... Workers at both locations have said they're looking to unionize in an effort to have more of a say in how their stores are run. Some also said they were inspired by union pushes this year at Amazon and Starbucks.

Apple did not immediately respond to a request for comment after the late night vote count Friday....

Between January and July of this year there were 826 union elections, up 45% from the number held in the same period of 2021, according to a CNN analysis of data from the NLRB. And the 70% success rate by unions in those votes is far better than the 42% success rate in the first seven months of 2021.

IOS

iOS 16 VPN Tunnels Leak Data, Even When Lockdown Mode Is Enabled (macrumors.com) 35

AmiMoJo shares a report from MacRumors: iOS 16 continues to leak data outside an active VPN tunnel, even when Lockdown mode is enabled, security researchers have discovered. Speaking to MacRumors, security researchers Tommy Mysk and Talal Haj Bakry explained that iOS 16's approach to VPN traffic is the same whether Lockdown mode is enabled or not. The news is significant since iOS has a persistent, unresolved issue with leaking data outside an active VPN tunnel.

According to a report from privacy company Proton, an iOS VPN bypass vulnerability had been identified in iOS 13.3.1, which persisted through three subsequent updates. Apple indicated it would add Kill Switch functionality in a future software update that would allow developers to block all existing connections if a VPN tunnel is lost, but this functionality does not appear to prevent data leaks as of iOS 15 and iOS 16. Mysk and Bakry have now discovered that iOS 16 communicates with select Apple services outside an active VPN tunnel and leaks DNS requests without the user's knowledge.

Mysk and Bakry also investigated whether iOS 16's Lockdown mode takes the necessary steps to fix this issue and funnel all traffic through a VPN when one is enabled, and it appears that the exact same issue persists whether Lockdown mode is enabled or not, particularly with push notifications. This means that the minority of users who are vulnerable to a cyberattack and need to enable Lockdown mode are equally at risk of data leaks outside their active VPN tunnel. [...] Due to the fact that iOS 16 leaks data outside the VPN tunnel even where Lockdown mode is enabled, internet service providers, governments, and other organizations may be able to identify users who have a large amount of traffic, potentially highlighting influential individuals. It is possible that Apple does not want a potentially malicious VPN app to collect some kinds of traffic, but seeing as ISPs and governments are then able to do this, even if that is what the user is specifically trying to avoid, it seems likely that this is part of the same VPN problem that affects iOS 16 as a whole.

Security

Shein Owner Fined $1.9 Million For Failing To Notify 39 Million Users of Data Breach (techcrunch.com) 5

Zoetop, the firm that owns Shein and its sister brand Romwe, has been fined (PDF) $1.9 million by New York for failing to properly disclose a data breach from 2018. TechCrunch reports: A cybersecurity attack that originated in 2018 resulted in the theft of 39 million Shein account credentials, including those of more than 375,000 New York residents, according to the AG's announcement. An investigation by the AG's office found that Zoetop only contacted "a fraction" of the 39 million compromised accounts, and for the vast majority of the users impacted, the firm failed to even alert them that their login credentials had been stolen. The AG's office also concluded that Zoetop's public statements about the data breach were misleading. In one instance, the firm falsely stated that only 6.42 million consumers had been impacted and that it was in the process of informing all the impacted users.
Security

SIM Card Swindler 'Baby Al Capone' Agrees To Pay Back $22 Million To Hacked Crypto Investor (gizmodo.com) 5

A young man who was not even old enough to drive back in 2018 managed to yoink nearly $24 million from a major crypto investor's account. Now, over four years later and thousands likely invested in both an investigation and lawyers fees, Michael Terpin can now claim he has reclaimed $22 million from the the original hack, according to a recently filed agreement. From a report: The original complaint filed in New York Southern District Court back in 2020 named the then-18-year-old Ellis Pinsky of leading a 20-person group that met on the OGUsers' forum that attacked people's crypto wallets using stolen SIM card data. Pinsky allegedly performed this hack when he was only 15 years old while living with his mother in upstate New York. The only other hacker named in the original complaint was 20-year-old Nick Truglia, who had been previously jailed on federal charges for a separate crypto theft. Terpin was a major name in the tech and crypto world, especially back in the late 20-teens as the co-founder of crypto investment firm BitAngels along with early work launching Motley Fool and Match.com. At the time, Terpin's phone hack was one of the largest crypto hacks of its kind. Nowadays, however, $24 million would be chump change to some of the funds modern crypto hackers seem to be rolling in by attacking crypto exchanges, protocols, and cross-chain bridges.
Security

Signal To Phase Out SMS Support From the Android App 54

schwit1 shares a blog post from Signal, the popular instant messaging app: In the interest of privacy, security, and clarity we're beginning to phase out SMS support from the Android app. You'll have several months to export your messages and either find a new app for SMS or tell your friends to download Signal.

[...] To give some context, when we started supporting SMS, Signal didn't exist yet. Our Android app was called TextSecure and the Signal encryption protocol was called Axolotl. Almost a decade has passed since then, and a lot has changed. In this time we changed our name, built iOS and desktop apps, and grew from a small project to the most widely used private messaging service on the planet. And we continued supporting the sending and receiving of plaintext SMS messages via the Signal interface on Android. We did this because we knew that Signal would be easier for people to use if it could serve as a homebase for most of the messages they were sending or receiving, without having to convince the people they wanted to talk to to switch to Signal first. But this came with a tradeoff: it meant that some messages sent and received via the Signal interface on Android were not protected by Signal's strong privacy guarantees.

We have now reached the point where SMS support no longer makes sense. For those of you interested, we walk through our reasoning in more detail below. In order to enable a more streamlined Signal experience, we are starting to phase out SMS support from the Android app. You will have several months to transition away from SMS in Signal, to export your SMS messages to another app, and to let the people you talk to know that they might want to switch to Signal, or find another channel if not.
Security

How Wi-Fi Spy Drones Snooped On Financial Firm (theregister.com) 52

An anonymous reader quotes a report from The Register: Modified off-the-shelf drones have been found carrying wireless network-intrusion kit in a very unlikely place. Greg Linares, a security researcher, recently recounted an incident that he said occurred over the summer at a US East Coast financial firm focused on private investment. He told The Register that he was not involved directly with the investigation but interacted with those involved as part of his work in the finance sector. In a Twitter thread, Linares said the hacking incident was discovered when the financial firm spotted unusual activity on its internal Atlassian Confluence page that originated from within the company's network.

The company's security team responded and found that the user whose MAC address was used to gain partial access to the company Wi-Fi network was also logged in at home several miles away. That is to say, the user was active off-site but someone within Wi-Fi range of the building was trying to wirelessly use that user's MAC address, which is a red flag. The team then took steps to trace the Wi-Fi signal and used a Fluke system to identify the Wi-Fi device. "This led the team to the roof, where a 'modified DJI Matrice 600' and a 'modified DJI Phantom' series were discovered," Linares explained. The Phantom drone was in fine condition and had a modified Wi-Fi Pineapple device, used for network penetration testing, according to Linares. The Matrice drone was carrying a case that contained a Raspberry Pi, several batteries, a GPD mini laptop, a 4G modem, and another Wi-Fi device. It had landed near the building's heating and ventilation system and appeared to be damaged but still operable. "During their investigation, they determined that the DJI Phantom drone had originally been used a few days prior to intercept a worker's credentials and Wi-Fi," Linares said. "This data was later hard coded into the tools that were deployed with the Matrice."

According to Linares, the tools on the drones were used to target the company's internal Confluence page in order to reach other internal devices using the credentials stored there. The attack, he said, had limited success and is the third cyberattack involving a drone he's seen over the past two years. "The attackers specifically targeted a limited access network, used by both a third-party and internally, that was not secure due to recent changes at the company (e.g. restructuring/rebranding, new building, new building lease, new network setup or a combination of any of these scenarios)," Linares told The Register. "This is the reason why this temporary network unfortunately had limited access in order to login (credentials + MAC security). The attackers were using the attack in order to access an internal IT confluence server that contained other credentials for accessing other resources and storing IT procedures." [...] While the identity of the attacker has not been disclosed, Linares believes those responsible did their homework. "This was definitely a threat actor who likely did internal reconnaissance for several weeks, had physical proximity to the target environment, had a proper budget and knew their physical security limitations," he said.

Encryption

Android Leaks Some Traffic Even When 'Always-On VPN' Is Enabled (bleepingcomputer.com) 30

Mullvad VPN has discovered that Android leaks traffic every time the device connects to a WiFi network, even if the "Block connections without VPN," or "Always-on VPN," features is enabled. BleepingComputer reports: The data being leaked outside VPN tunnels includes source IP addresses, DNS lookups, HTTPS traffic, and likely also NTP traffic. This behavior is built into the Android operating system and is a design choice. However, Android users likely didn't know this until now due to the inaccurate description of the "VPN Lockdown" features in Android's documentation. Mullvad discovered the issue during a security audit that hasn't been published yet, issuing a warning yesterday to raise awareness on the matter and apply additional pressure on Google.

Android offers a setting under "Network & Internet" to block network connections unless you're using a VPN. This feature is designed to prevent accidental leaks of the user's actual IP address if the VPN connection is interrupted or drops suddenly. Unfortunately, this feature is undercut by the need to accommodate special cases like identifying captive portals (like hotel WiFi) that must be checked before the user can log in or when using split-tunnel features. This is why Android is configured to leak some data upon connecting to a new WiFi network, regardless of whether you enabled the "Block connections without VPN" setting.

Mullvad reported the issue to Google, requesting the addition of an option to disable connectivity checks. "This is a feature request for adding the option to disable connectivity checks while "Block connections without VPN" (from now on lockdown) is enabled for a VPN app," explains Mullvad in a feature request on Google's Issue Tracker. "This option should be added as the current VPN lockdown behavior is to leaks connectivity check traffic (see this issue for incorrect documentation) which is not expected and might impact user privacy."
In response to Mullvad's request, a Google engineer said this is the intended functionality and that it would not be fixed for the following reasons:

- Many VPNs actually rely on the results of these connectivity checks to function,
- The checks are neither the only nor the riskiest exemptions from VPN connections,
- The privacy impact is minimal, if not insignificant, because the leaked information is already available from the L2 connection.

Mullvad countered these points and the case remains open.

Slashdot Top Deals