2024-05-09 23:30:52
Researchers believe that it affects all VPN applications when connected to a hostile network, and there is no way to prevent such attacks except when the user’s VPN is running on Linux or Android. They also stated that their attack technique has been possible since 2002 and may have already been discovered and used since then:
“Recently, we identified a new network technique that bypasses VPN encapsulation. An attacker can use this technique to force a target user’s traffic out of the VPN tunnel by using the built-in features of the Dynamic Host Configuration Protocol (DHCP). The result is that the user transfers packets that are never encrypted by a VPN, and a hacker can spy on their traffic. We use the term “decloaking” to refer to this effect. It is important to note that the VPN’s control channel is maintained, so features such as kill-switches never is triggered, and users continue to appear connected to a VPN in all cases we observed.
“We have spent a lot of time investigating this possibility and trying to inform as many affected parties as possible. We also know that it is our responsibility as security researchers to inform the security and privacy community, as well as the general public, about this threat. We also believe that this technique may have been possible as early as 2002 and may have already been discovered (we have been informed that this “decloaking” behavior has been referred to on social media. This once again shows that it is important to inform the public outside the technology sector of the existence of our technique) and potentially used in the wild. This is why we think it’s important for us to make it public, because notifying every VPN provider, every OS maintainer, every self-hosted VPN administrator, and every VPN user is way beyond the capabilities of our small research team.
How TunnelVision works is explained in a video demonstration
– The victim’s traffic is now unmasked and routed directly by the attacker. The attacker can read, delete or modify the leaked traffic, and the victim maintains the connection to both the VPN and the Internet, the researchers explain.
The attack works by manipulating the DHCP server that assigns IP addresses to devices trying to connect to the local network. A setting known as option 121 allows the DHCP server to override default routing rules that send VPN traffic through a local IP address that initiates the encrypted tunnel. By using option 121 to route VPN traffic through the DHCP server, the attack redirects data to the DHCP server itself. Leviathan Security researchers explained:
“Our technique is to run a DHCP server on the same network as the targeted VPN user and configure our DHCP configuration to use itself as a gateway. When the traffic reaches our gateway, we apply traffic forwarding rules on the DHCP server to send the traffic to a legitimate gateway while we spy on it.
“We use DHCP option 121 to define a route in the VPN user’s routing table. The route we define is arbitrary, and we can also define more routes if necessary. By enforcing more specific routes than the /0 CIDR range used by the most VPNs, we can establish routing rules with a higher priority than the virtual interface routes created by the VPN.We can define multiple /1 routes to replicate the 0.0.0.0/0 rule for all traffic defined by most VPNs.
“Pushing a route also means that network traffic will be sent on the same interface as the DHCP server instead of the virtual network interface. This is an intended feature that is not clearly stated in the RFC. Therefore, for the routes we push, the traffic is never encrypted of the VPN’s virtual interface, but transmitted through the network interface that talks to the DHCP server.As an attacker, we can choose which IP addresses go through the tunnel and which go through the network interface that communicates with our DHCP server.
“Traffic is now transferred outside the encrypted VPN tunnel. This technique can also be used against an already established VPN connection when the VPN user’s host needs to renew a lease with our DHCP server. We can artificially create this scenario by specifying a short lease time in the DHCP lease so that the user updates the routing table more often. In addition, the control channel of the VPN remains intact because it already uses the physical interface for its communication. In our testing, the VPN always continued to report that it was connected, and the kill switch was never activated to terminate our VPN connection.”
The attack can most effectively be carried out by someone who has administrative control over the network the target connects to. In this scenario, the attacker configures the DHCP server to use option 121. It is also possible for people who can connect to the network as an unprivileged user to perform the attack by configuring their own malicious DHCP server.
Limitations
Firewall rules
We observed VPN providers denying all incoming and outgoing traffic to and from the physical interface via firewall rules. An exception was needed for the DHCP and VPN server IPs, as they are needed to stay connected to the local network and VPN server. Deep packet inspection can also only allow DHCP and VPN, but performance is likely to be affected.
Firewall rule reduction issues
Firewall mitigations create a selective denial of service for traffic using the DHCP route and introduce a side channel. An attacker can use this side channel to determine the traffic target. To determine the traffic target, an attacker can perform an analysis of the volume of VPN-encrypted traffic sent by a user. The attacker will need a basic traffic volume where no malware is installed. Then he needs to change the rental configuration to install roads that prevent traffic and observe the difference in volume.
Ignore option 121
Another possible solution is to ignore option 121 when VPN is enabled. We noted that because Android does not support DHCP option 121, it was not affected. The downside is that option 121 exists for a reason, and ignoring these routes can break network connectivity (which is often cited as a reason to implement it on Android). If this restriction is implemented, it should be mandatory, as attackers can simply deny network access to the VPN or user re-enable option 121.
Use a hot spot or VM
Hot spots are temporary Wi-Fi networks controlled by a mobile device. They create a password-locked local area network with automatic network address translation. Since this network is completely controlled by the mobile device and requires a password, a hacker should not be able to access the local network. A virtual machine will also work the same way as long as the virtual machine’s network adapter is not in bridged mode.
Do not use untrusted networks if you need absolute privacy for your traffic
Source: the researchers’ results
And you ?
What is your initial reaction to the discovery of the TunnelVision VPN attack?
How does this vulnerability affect your confidence in using VPNs for online security?
What steps do you think VPN developers should take to protect their users from such attacks?
Would Android’s immunity to this attack encourage you to switch operating systems for your online activities?
How can businesses protect themselves against security vulnerabilities that have existed for a long time but are only recently being exploited?
What role should users play in protecting their own online security in the face of such vulnerabilities?
1715298554
#Unprecedented #attacks #threaten #security #VPN #apps #call #question #basic #utility