CVE-2024-49734: Side Channel Information Disclosure Allowing Wi-Fi Access Points to Determine Websites Visited via VPN

A security vulnerability has been discovered in several functions of ConnectivityService.java, which could potentially allow cyber attackers to determine what website a device has connected to when using a VPN. In this post, we will explore this vulnerability, known as CVE-2024-49734, in detail, including the implications, the affected code and possible exploits, and solutions for mitigating the risk.

The issue at hand is that, due to a side channel information disclosure, it is possible for a Wi-Fi Access Point (AP) to remotely obtain information about the websites visited by the victim's device without requiring any additional execution privileges or user interaction. This can cause severe privacy concerns for users and, in some cases, lead to further exploitation or attacks.

Affected Code

The issue stems from several functions inside the ConnectivityService.java file, which is responsible for managing various aspects of network connectivity. Specifically, the information leakage occurs when the device attempts to connect to a site via VPN.

Here is a code snippet illustrating one of the relevant functions

private void handleConnectionToSite(String siteUrl, NetworkAgentInfo activeNai) {
    if (activeNai == null) {
        logW("handleConnectionToSite: activeNai is null");
        return;
    }

    final boolean doConnect = isVPNConnectedTo(siteUrl);

    if (doConnect) {
        connectToSite(siteUrl, activeNai);
    } else {
        logW("Not connecting to " + siteUrl + " because VPN is not connected");
    }
}

The handleConnectionToSite() function checks if the VPN is connected to a specific site and, if so, proceeds to connect the device to the site. The problem lies in the fact that this function and several others inadvertently leak information about the connection status, which can be observed by an attacker monitoring the Wi-Fi AP.

Exploit Details

To exploit this vulnerability, an attacker only needs to have control over the Wi-Fi AP the victim is connected to. Since the side channel information disclosure allows the attacker to remotely monitor the connection attempts made by the victim's device, it is possible to infer which sites were accessed via the VPN.

This could be accomplished using passive network monitoring techniques, such as packet sniffing, to collect data about the websites visited by a device connected to the rogue Wi-Fi AP. By analyzing this data, an attacker can determine whether a specific site is being accessed via VPN and, consequently, deduce the victim's browsing habits or interests.

Original References

1. Android Open Source Project
2. ConnectivityService.java - Android Code Search
3. CVE-2024-49734 - NVD - Detail

Proposed Solutions and Mitigation

To mitigate the risk associated with this vulnerability, users are advised to connect only to trusted Wi-Fi networks and VPN services, avoiding any unsecured or public APs that could be under the control of malicious actors.

Moreover, developers and security researchers should investigate the issue further and develop patches to fix the problematic code in ConnectivityService.java. One possible solution could involve masking the connection attempts or obfuscating the data transmitted over the side channel to prevent attackers from discerning which sites are being accessed via a VPN.

In summary, CVE-2024-49734 poses a significant risk to user privacy and security. By understanding and addressing the vulnerability within the ConnectivityService.java code, we can work towards a safer and more secure browsing experience for all.

Timeline

Published on: 01/21/2025 23:15:14 UTC
Last modified on: 03/24/2025 17:15:19 UTC