Reported by cybersecurity experts, a new type of cyber attack can force VPN applications to route traffic outside the encrypted tunnel, exposing users of these services to any adversary interested in learning their geographic location and possibly their identity.
The vulnerability called TunnelVision is present in almost all VPN services hosted on non-Linux and non-Android systems. According to research, the vulnerability could be available to interested groups since 2002, with indications that it has been exploited numerous times since then:
The effect of TunnelVision is that “the victim’s traffic is now exposed and routed directly to the attacker,” a video demonstration says: “The attacker can read, remove, or modify the leaked traffic, and the victim maintains its connection to both the VPN and the Internet. “
The attack works by manipulating the DHCP server that assigns IP addresses to devices trying to connect to the local network. A setting known as option 121 allows the DHCP server to override default routing rules that send VPN traffic through a local IP address that initiates the encrypted tunnel.
For maximum effectiveness, the attack must be initiated by someone who has administrative control over the network the target connects to. In this scenario, the attacker configures the DHCP server to use option 121. It is also possible for people who can connect to the network as an unprivileged user to perform the attack by configuring their own rogue DHCP server. The attack allows some or all of the traffic to be routed through the unencrypted tunnel. In both cases, the VPN application will report that all data is sent over the protected connection. Any traffic that is diverted from this tunnel will not be encrypted by the VPN, and the Internet IP address that can be viewed by the remote user will belong to the network that the VPN user is connected to, rather than the one designated by the VPN application.
Interestingly, Android is the only operating system that completely blocks the new methods of disarming VPN services, as it does not implement option 121. For any other operating systems, there are no concrete solutions, for now.
When applications run on Linux, there is a setting that minimizes the effects, but even then TunnelVision can be used to exploit a back channel that can be used to de-anonymize destination traffic and perform denial-of-service attacks.
Tags: purpose VPN basically nullified cyber attack forces exposure real address
