40 votes

‘TunnelVision’ attack leaves nearly all VPNs vulnerable to spying

22 comments

  1. [14]
    pageupdraws
    Link
    Specifically, this is about VPN connections on a network you don't control. The exploit isn't likely to be possible on your own network, unless you invite in a bad actor.

    Specifically, this is about VPN connections on a network you don't control. The exploit isn't likely to be possible on your own network, unless you invite in a bad actor.

    24 votes
    1. [13]
      Carrow
      Link Parent
      It's a bit sensationalist, innit? Unless I'm misunderstanding something, it will be apparent in the device's routing table if option 121 was used and it could be mitigated through the use of a...

      It's a bit sensationalist, innit? Unless I'm misunderstanding something, it will be apparent in the device's routing table if option 121 was used and it could be mitigated through the use of a script utilizing dhcp hooks to delete such routes at the time of renewal.

      9 votes
      1. [4]
        JackA
        (edited )
        Link Parent
        The site* headline is, the issue itself and information within the article is not. The vulnerability is suspected to have been open since 2002 and no such mitigations (no matter how easy to...

        The site* headline is, the issue itself and information within the article is not. The vulnerability is suspected to have been open since 2002 and no such mitigations (no matter how easy to develop in hindsight or how easy to deploy now) have been widely used publicly in the past. Any attacker with control over DHCP on a public network could have been utilizing this attack to peek into traffic that people thought was being routed safely through their VPN.

        11 votes
        1. [2]
          patience_limited
          Link Parent
          Think of your ISP as a hostile network, and the ability of any nation-state powers that might take an interest in VPN users to encourage exploitation of the ISP's DHCP servers. This could be a...

          Think of your ISP as a hostile network, and the ability of any nation-state powers that might take an interest in VPN users to encourage exploitation of the ISP's DHCP servers. This could be a comprehensively nasty scenario.

          3 votes
          1. JackA
            Link Parent
            A worthy thought, and thinking of your ISP as hostile is good practice, but I don't think it applies as a vulnerability in this case. The DHCP information your gateway receives from your ISP isn't...

            A worthy thought, and thinking of your ISP as hostile is good practice, but I don't think it applies as a vulnerability in this case. The DHCP information your gateway receives from your ISP isn't passed on to clients, it has it's own DHCP settings configured that apply to the LAN. So the clients will already be routing all of their traffic into the VPN tunnel on their own device before it ever hits the gateway's WAN port where any routing rule could do anything to try to bypass it.

            Now if you're using an ISP supplied router that's incredibly locked down and pulls its entire config from your ISP (which already means you don't care about security/privacy), that could be a concern. But honestly I doubt they'd be bold enough to implement such a malicious and potentially discoverable exploit into people's home networks when most people don't use a VPN there regardless, it's not a large amount of data that corporations would stand to profit from compared to all the other data they get freely and aboveboard without risk of exposure. The nation states that could force their hand already have plenty of tracking mechanisms that work whether you're on a VPN or not that most people aren't aware of that they needn't bother with the potential exposure of this.

            10 votes
        2. Carrow
          Link Parent
          Good point on past exposure! I also took umbrage with language like claiming all VPN applications connected to hostile networks were vulnerable and lackluster details on mitigation, but the...

          Good point on past exposure! I also took umbrage with language like claiming all VPN applications connected to hostile networks were vulnerable and lackluster details on mitigation, but the researchers' page does a better job clarifying those details without making it sound so catastrophic.

          1 vote
      2. [5]
        arch
        Link Parent
        If I am reading this correctly then it looks like you can not assume you were ever safe using a VPN on an untrusted network on any device that isn't Android. Trusted networks should still be...

        If I am reading this correctly then it looks like you can not assume you were ever safe using a VPN on an untrusted network on any device that isn't Android. Trusted networks should still be considered safe, since a rouge DHCP server being setup there would require your network to be compromised already.

        This could mean something as simple as doing online banking from a Starbucks could leak your account details.

        3 votes
        1. [4]
          Crestwave
          Link Parent
          It's not quite that dramatic since nearly all websites are encrypted with HTTPS (especially banking apps) nowadays. However, it's still a pretty major flaw since public networks are one of the...

          It's not quite that dramatic since nearly all websites are encrypted with HTTPS (especially banking apps) nowadays. However, it's still a pretty major flaw since public networks are one of the main use-cases for VPNs. And circumventing the VPN does let them check what websites you connect to, even if the contents are encrypted.

          4 votes
          1. [3]
            arch
            Link Parent
            Very interesting, so would you basically still only really be at risk of leaking DNS queries? Your VON traffic is using encryption as well. Would dns over tls mitigate this in any wayl?

            Very interesting, so would you basically still only really be at risk of leaking DNS queries? Your VON traffic is using encryption as well. Would dns over tls mitigate this in any wayl?

            1. Crestwave
              Link Parent
              This attack completely circumvents the VPN by forcing your traffic to be routed to its DHCP server. So essentially, if a malicious actor is in control of the network*, your threat model is pretty...

              This attack completely circumvents the VPN by forcing your traffic to be routed to its DHCP server. So essentially, if a malicious actor is in control of the network*, your threat model is pretty much the same as using a public WiFi without a VPN—HTTPS still protects you, HTTP is completely naked, and routing DNS queries is possible but not required (you can still sniff the IP of HTTPS connections and reverse look up its domain).

              * And you're using a vulnerable system, which is apparently everything except Linux with mitigations/Android according to the article.

              6 votes
            2. MrNoPro
              Link Parent
              Even if the content of your traffic is encrypted with TLS, it doesn't hide the destination IP address.

              Even if the content of your traffic is encrypted with TLS, it doesn't hide the destination IP address.

              1 vote
      3. [3]
        F13
        Link Parent
        Wouldn't it also cease to function as a VPN? You'd be routed out the upstream path (so your public IP would not change) and you wouldn't have access to any services in the remote end of the VPN...

        Wouldn't it also cease to function as a VPN? You'd be routed out the upstream path (so your public IP would not change) and you wouldn't have access to any services in the remote end of the VPN connection (since the rogue forwarder cannot establish a legitimate session with your VPN endpoint).

        1 vote
        1. [2]
          R3qn65
          Link Parent
          It depends on what "kind" of VPN you're using. Accessing your company's LAN? Yeah, absolutely, it'll just drop the connection. But doing the (much more common) thing of using a commercial VPN to...

          It depends on what "kind" of VPN you're using. Accessing your company's LAN? Yeah, absolutely, it'll just drop the connection. But doing the (much more common) thing of using a commercial VPN to access the regular internet? That'll still work, but you just won't be going through the tunnel.

          1 vote
          1. F13
            Link Parent
            Yeah, it's more of a "denial of service" than a exploit, in the sense that it forcibly stops your VPN from functioning. If you do anything to confirm whether your VPN is actually working - like...

            Yeah, it's more of a "denial of service" than a exploit, in the sense that it forcibly stops your VPN from functioning. If you do anything to confirm whether your VPN is actually working - like check your public IP - it would show that you are not using a VPN.

            That is, unless they selectively reroute traffic you care about but cannot confirm the public IP address of...

  2. [8]
    teaearlgraycold
    Link
    My co-workers at Android always said they believed Android to be the most secure operating system. I think they're probably right. It's an OS designed, from the ground up, for the 21st century...

    Interestingly, Android is the only operating system that fully immunizes VPN apps from the attack because it doesn't implement option 121.

    My co-workers at Android always said they believed Android to be the most secure operating system. I think they're probably right. It's an OS designed, from the ground up, for the 21st century model of software distribution. iOS "cheats" by using centralized control (Apple needs to sign your code to get it to run on iPhones/iPads) - although in practice this does work.

    13 votes
    1. [7]
      koopa
      Link Parent
      Assuming you have a Pixel that actually gets security updates. Maybe things have gotten better in the last few years, but my experience with Android was always heavily delayed updates from the...

      My co-workers at Android always said they believed Android to be the most secure operating system.

      Assuming you have a Pixel that actually gets security updates. Maybe things have gotten better in the last few years, but my experience with Android was always heavily delayed updates from the phone maker if they came at all.

      9 votes
      1. [6]
        Minty
        Link Parent
        Several phone makers started advertising with years and years of updates, but I fully expect this to not yield an increase in sales that will justify the expense, so they will quietly stop.

        Several phone makers started advertising with years and years of updates, but I fully expect this to not yield an increase in sales that will justify the expense, so they will quietly stop.

        5 votes
        1. [5]
          Weldawadyathink
          Link Parent
          That is my assumption as well. Apple has shown through their actions that they support their products with software updates. No android manufacturer has shown that. Some have said they would. But...

          That is my assumption as well. Apple has shown through their actions that they support their products with software updates. No android manufacturer has shown that. Some have said they would. But there is a really simple way to prove to your customers that you will support current devices longer: update your past devices to current software today. None of them have done this.

          The Google pixel 3 and iPhone XS/XR were both released in 2018. One of those devices has the latest OS. One hasn’t had a new OS since June 2022. Give that phone whatever the latest version of android is and I might start believing Google about updates.

          6 votes
          1. [4]
            vord
            Link Parent
            Except my pixel 3 lives on with current LineageOS builds, while the iPhone becomes a brick in a year or two when Apple axes it. Frankly, I despise the entire smartphone market because it's the...

            Except my pixel 3 lives on with current LineageOS builds, while the iPhone becomes a brick in a year or two when Apple axes it.

            Frankly, I despise the entire smartphone market because it's the fast-fashion of computing.

            7 votes
            1. JackA
              Link Parent
              I think it's fair to acknowledge however that 99% of Android phones will never have a new operating system installed on them to extend their lifespan beyond the few years of security updates the...

              I think it's fair to acknowledge however that 99% of Android phones will never have a new operating system installed on them to extend their lifespan beyond the few years of security updates the original manufacturer provides. For the non-enthusiasts Android phones become bricks remarkably sooner than iPhones do. Or worse, continue being used for years without security updates because "it still works" and there's no central authority forcing them to upgrade for their own good.

              Personally I don't mind Apple's controlling but utilitarian approach to security, it results in the average person having a secure phone for the entire reasonable lifespan of modern technology without having to think about it. It can at times frustrate me as an enthusiast, but the same simply cannot be said for most Android devices.

              6 votes
            2. [2]
              kjw
              (edited )
              Link Parent
              I wonder how much behind official security updates LineageOS lags.

              I wonder how much behind official security updates LineageOS lags.

              1. vord
                Link Parent
                From their latest patch notes: My guess is 'better than any vendor for a phone older than 5 years'

                From their latest patch notes:

                Our merge scripts have been largely overhauled, greatly simplifying the Android Security Bulletin merge process, as well as making supporting devices like Pixel devices that have full source releases much more streamlined.
                Our extract utilities can now extract from OTA images and factory images directly, further simplifying monthly security updates for maintainers on devices that receive security patches regularly.

                My guess is 'better than any vendor for a phone older than 5 years'

                1 vote