40
votes
‘TunnelVision’ attack leaves nearly all VPNs vulnerable to spying
Link information
This data is scraped automatically and may be incorrect.
- Title
- Novel attack against virtually all VPN apps neuters their entire purpose
- Authors
- Dan Goodin
- Published
- May 6 2024
- Word count
- 918 words
Specifically, this is about VPN connections on a network you don't control. The exploit isn't likely to be possible on your own network, unless you invite in a bad actor.
It's a bit sensationalist, innit? Unless I'm misunderstanding something, it will be apparent in the device's routing table if option 121 was used and it could be mitigated through the use of a script utilizing dhcp hooks to delete such routes at the time of renewal.
The site* headline is, the issue itself and information within the article is not. The vulnerability is suspected to have been open since 2002 and no such mitigations (no matter how easy to develop in hindsight or how easy to deploy now) have been widely used publicly in the past. Any attacker with control over DHCP on a public network could have been utilizing this attack to peek into traffic that people thought was being routed safely through their VPN.
Think of your ISP as a hostile network, and the ability of any nation-state powers that might take an interest in VPN users to encourage exploitation of the ISP's DHCP servers. This could be a comprehensively nasty scenario.
A worthy thought, and thinking of your ISP as hostile is good practice, but I don't think it applies as a vulnerability in this case. The DHCP information your gateway receives from your ISP isn't passed on to clients, it has it's own DHCP settings configured that apply to the LAN. So the clients will already be routing all of their traffic into the VPN tunnel on their own device before it ever hits the gateway's WAN port where any routing rule could do anything to try to bypass it.
Now if you're using an ISP supplied router that's incredibly locked down and pulls its entire config from your ISP (which already means you don't care about security/privacy), that could be a concern. But honestly I doubt they'd be bold enough to implement such a malicious and potentially discoverable exploit into people's home networks when most people don't use a VPN there regardless, it's not a large amount of data that corporations would stand to profit from compared to all the other data they get freely and aboveboard without risk of exposure. The nation states that could force their hand already have plenty of tracking mechanisms that work whether you're on a VPN or not that most people aren't aware of that they needn't bother with the potential exposure of this.
Good point on past exposure! I also took umbrage with language like claiming all VPN applications connected to hostile networks were vulnerable and lackluster details on mitigation, but the researchers' page does a better job clarifying those details without making it sound so catastrophic.
If I am reading this correctly then it looks like you can not assume you were ever safe using a VPN on an untrusted network on any device that isn't Android. Trusted networks should still be considered safe, since a rouge DHCP server being setup there would require your network to be compromised already.
This could mean something as simple as doing online banking from a Starbucks could leak your account details.
It's not quite that dramatic since nearly all websites are encrypted with HTTPS (especially banking apps) nowadays. However, it's still a pretty major flaw since public networks are one of the main use-cases for VPNs. And circumventing the VPN does let them check what websites you connect to, even if the contents are encrypted.
Very interesting, so would you basically still only really be at risk of leaking DNS queries? Your VON traffic is using encryption as well. Would dns over tls mitigate this in any wayl?
This attack completely circumvents the VPN by forcing your traffic to be routed to its DHCP server. So essentially, if a malicious actor is in control of the network*, your threat model is pretty much the same as using a public WiFi without a VPN—HTTPS still protects you, HTTP is completely naked, and routing DNS queries is possible but not required (you can still sniff the IP of HTTPS connections and reverse look up its domain).
* And you're using a vulnerable system, which is apparently everything except Linux with mitigations/Android according to the article.
Even if the content of your traffic is encrypted with TLS, it doesn't hide the destination IP address.
Wouldn't it also cease to function as a VPN? You'd be routed out the upstream path (so your public IP would not change) and you wouldn't have access to any services in the remote end of the VPN connection (since the rogue forwarder cannot establish a legitimate session with your VPN endpoint).
It depends on what "kind" of VPN you're using. Accessing your company's LAN? Yeah, absolutely, it'll just drop the connection. But doing the (much more common) thing of using a commercial VPN to access the regular internet? That'll still work, but you just won't be going through the tunnel.
Yeah, it's more of a "denial of service" than a exploit, in the sense that it forcibly stops your VPN from functioning. If you do anything to confirm whether your VPN is actually working - like check your public IP - it would show that you are not using a VPN.
That is, unless they selectively reroute traffic you care about but cannot confirm the public IP address of...
My co-workers at Android always said they believed Android to be the most secure operating system. I think they're probably right. It's an OS designed, from the ground up, for the 21st century model of software distribution. iOS "cheats" by using centralized control (Apple needs to sign your code to get it to run on iPhones/iPads) - although in practice this does work.
Assuming you have a Pixel that actually gets security updates. Maybe things have gotten better in the last few years, but my experience with Android was always heavily delayed updates from the phone maker if they came at all.
Several phone makers started advertising with years and years of updates, but I fully expect this to not yield an increase in sales that will justify the expense, so they will quietly stop.
That is my assumption as well. Apple has shown through their actions that they support their products with software updates. No android manufacturer has shown that. Some have said they would. But there is a really simple way to prove to your customers that you will support current devices longer: update your past devices to current software today. None of them have done this.
The Google pixel 3 and iPhone XS/XR were both released in 2018. One of those devices has the latest OS. One hasn’t had a new OS since June 2022. Give that phone whatever the latest version of android is and I might start believing Google about updates.
Except my pixel 3 lives on with current LineageOS builds, while the iPhone becomes a brick in a year or two when Apple axes it.
Frankly, I despise the entire smartphone market because it's the fast-fashion of computing.
I think it's fair to acknowledge however that 99% of Android phones will never have a new operating system installed on them to extend their lifespan beyond the few years of security updates the original manufacturer provides. For the non-enthusiasts Android phones become bricks remarkably sooner than iPhones do. Or worse, continue being used for years without security updates because "it still works" and there's no central authority forcing them to upgrade for their own good.
Personally I don't mind Apple's controlling but utilitarian approach to security, it results in the average person having a secure phone for the entire reasonable lifespan of modern technology without having to think about it. It can at times frustrate me as an enthusiast, but the same simply cannot be said for most Android devices.
I wonder how much behind official security updates LineageOS lags.
From their latest patch notes:
My guess is 'better than any vendor for a phone older than 5 years'