Researchers have uncovered a method of attack that can force most virtual private network (VPN) applications to send and receive traffic outside the encrypted tunnel. This effectively compromises the fundamental purpose of VPNs, which is to encapsulate internet traffic in a secure, encrypted tunnel and mask the user’s IP address.
The TunnelVision Attack
The attack, dubbed TunnelVision by the researchers, undermines VPNs’ core functionality by manipulating the routing of internet traffic. When connected to a hostile network, the attack can redirect portions or even all of the VPN traffic outside the encrypted tunnel, allowing an attacker to read, drop, or alter the data. The researchers believe this attack affects all VPN applications, except those running on Linux or Android.
The technique exploits a feature in the Dynamic Host Configuration Protocol (DHCP) that allows an attacker to manipulate routing options. Known as Option 121, this feature lets a DHCP server override the default routing rules, directing VPN traffic through a specified local IP address rather than through the VPN’s encrypted tunnel.
How TunnelVision Works
TunnelVision affects VPNs by manipulating the DHCP server’s routing settings. By exploiting Option 121, the attacker can reroute traffic through the DHCP server, bypassing the VPN’s encryption. The attack can redirect either a portion or all of the traffic through an unencrypted tunnel. The compromised traffic is then visible to the attacker, while the VPN application continues to believe that all data is being sent through a secure connection.
A video demonstration of the attack shows how the victim’s traffic is routed through the attacker, who can read, drop, or modify the traffic while the victim remains unaware. Any traffic redirected by this method is not encrypted, exposing the user’s internet IP address and potentially compromising sensitive data.
Android Is the Only Secure Platform
Interestingly, Android is the only operating system that does not apply Option 121, rendering it immune to this type of attack. Other operating systems have no definitive solution to the problem, with Linux offering a partial mitigation that reduces the impact. However, even with this mitigation, TunnelVision can still be used to deanonymize traffic and conduct targeted denial-of-service attacks.
Potential Solutions
The most effective solutions involve running the VPN in a virtual machine with the network adapter in non-bridged mode or using a cellular device’s Wi-Fi hotspot to connect to the internet. While these methods offer a higher level of security, they may not be practical in all scenarios.
Overall, this discovery highlights a significant vulnerability in most VPN applications, emphasizing the need for enhanced security measures and further research to develop effective countermeasures. Users relying on VPNs for privacy and security should stay informed about potential risks and take additional precautions to protect their data from potential attacks like TunnelVision.
