'TunnelVision' bug potentially allows snooping on all VPNs

Operating system features can be manipulated to divert traffic away from encrypted VPN tunnel

'TunnelVision' bug potentially allows snooping on all VPNs

Image:
'TunnelVision' bug potentially allows snooping on all VPNs

Researchers at vendor Leviathan Security Group have revealed a novel network attack technique they call "TunnelVision," which potentially affects all VPNs.

By exploiting features of the DHCP (Dynamic Host Configuration Protocol) deployed in all operating systems, an attacker can divert traffic away from the encrypted VPN tunnel, allowing it to be inspected.

DHCP is a network protocol used to assign IP addresses to devices on a local network. In simple terms, it allows a device to automatically obtain an IP address and other network configuration settings when it connects to a network.

Since 2002, DHCP has had a feature called "option 121", which allows network administrators to specify routes and add them to a client's routing table.

The DHCP server can push multiple routes using option 121, with these taking precedence over the default routes used by most VPNs. In this way, traffic is sent over the network interface connected to the DHCP server, rather than through the VPN tunnel. Option 121 can be used by attackers operating a network they control to manipulate the routing tables of VPN users and force their traffic away from the VPN tunnel.

Importantly, an attack using this method does not trigger kill switches or otherwise disconnect the user from the VPN, offering no signal that traffic diversion might be taking place. Moreover, the attacker can retain control over the connection, giving uninterrupted access to the data.

Full- and split-tunnel VPNs are both vulnerable.

The vulnerability affects any operating system that implements a DHCP client and supports DHCP option 121 routes. This includes Windows, Linux, iOS and macOS. Android is not affected as it does not implement option 121 (which is one reason VPNs are often less stable on Android, researchers Lizzie Moratti and Dani Cronce from Leviathan Security note in a blog). Linux users can implement a feature called "network namespaces," which, depending on the distribution, may not be available by default.

Advice to VPN users

The impact of this vulnerability is significant, especially for journalists, political dissidents, and others who rely on VPNs for privacy and security. As it has been potentially exploitable since 2002, it may have been used to snoop on traffic for decades. While HTTPS provides some protection for web browsing, other types of traffic and unencrypted websites leave both the content and destination visible to snooping.

"VPN users who expect VPNs to protect them on untrusted networks are as susceptible to the very same attacks as if they weren't using a VPN," the researchers note on a special site tunnelvisionbug.com, set up to notify users and vendors about the issue.

"Luckily, most users who use commercial VPNs are sending web traffic which is mostly HTTPS (about 85%, actually). HTTPS traffic looks like gibberish to attackers using TunnelVision, but they know who you are sending that gibberish to, which can be an issue."

Users could consider running their VPN inside a virtual machine. They should avoid using untrusted networks, to prevent a rogue network installing routes, and should run an ad blocker to stop tracking cookies. They should also be wary of the marketing claims made by VPN vendors, which may overstate the security benefits provided.

Call on vendors to be transparent

Mitigation of this issue is difficult, as it lies in operating system features rather than the VPNs themselves. However, say the researchers, vendors should alert users to TunnelVision in their documentation, notify them of any mitigations or fixes for particular OSs, and be transparent about their limitations.

It is debatable whether TunnelVision should be classified as a vulnerability, they note, "Because TunnelVision doesn't rely on violating any security properties of the underlying technologies. From our perspective, TunnelVision is how DHCP, routing tables and VPNs are intended to work.

"However, it contradicts VPN providers' assurances that are commonly referenced in marketing material."

Update

VPN provider Mullvad contacted Computing to say TunnelVision is similar to a previously known issue TunnelCrack LocalNet, in that it requires the attacker to be on the same local network as the victim and to act as the victim's DHCP server. Mullvad says its Windows, macOS and Linux applications block all such attempts, but integrating a fix into the iOS app is a work in progress.