arstechnica.com Open in urlscan Pro
18.191.78.181  Public Scan

Form analysis
1 forms found in the DOM

GET /search/

<form action="/search/" method="GET" id="search_form">
  <input type="hidden" name="ie" value="UTF-8">
  <input type="text" name="q" id="hdr_search_input" value="" aria-label="Search..." placeholder="Search...">
</form>

Text Content

Skip to main content
 * Biz & IT
 * Tech
 * Science
 * Policy
 * Cars
 * Gaming & Culture
 * Store
 * Forums

Subscribe

Close


NAVIGATE

 * Store
 * Subscribe
 * Videos
 * Features
 * Reviews

 * RSS Feeds
 * Mobile Site

 * About Ars
 * Staff Directory
 * Contact Us

 * Advertise with Ars
 * Reprints


FILTER BY TOPIC

 * Biz & IT
 * Tech
 * Science
 * Policy
 * Cars
 * Gaming & Culture
 * Store
 * Forums


SETTINGS

Front page layout


Grid


List


Site theme

light

dark

Sign in

VPN BUSTER —


NOVEL ATTACK AGAINST VIRTUALLY ALL VPN APPS NEUTERS THEIR ENTIRE PURPOSE


TUNNELVISION VULNERABILITY HAS EXISTED SINCE 2002 AND MAY ALREADY BE KNOWN TO
ATTACKERS.

Dan Goodin - 5/6/2024, 10:35 PM

Enlarge
Getty Images

READER COMMENTS

264

Researchers have devised an attack against nearly all virtual private network
applications that forces them to send and receive some or all traffic outside of
the encrypted tunnel designed to protect it from snooping or tampering.

TunnelVision, as the researchers have named their attack, largely negates the
entire purpose and selling point of VPNs, which is to encapsulate incoming and
outgoing Internet traffic in an encrypted tunnel and to cloak the user’s IP
address. The researchers believe it affects all VPN applications when they’re
connected to a hostile network and that there are no ways to prevent such
attacks except when the user's VPN runs on Linux or Android. They also said
their attack technique may have been possible since 2002 and may already have
been discovered and used in the wild since then.


READING, DROPPING, OR MODIFYING VPN TRAFFIC

The effect of TunnelVision is “the victim's traffic is now decloaked and being
routed through the attacker directly,” a video demonstration explained. “The
attacker can read, drop or modify the leaked traffic and the victim maintains
their connection to both the VPN and the Internet.”


TunnelVision - CVE-2024-3661 - Decloaking Full and Split Tunnel VPNs - Leviathan
Security Group.

The attack works by manipulating the DHCP server that allocates IP addresses to
devices trying to connect to the local network. A setting known as option
121 allows the DHCP server to override default routing rules that send VPN
traffic through a local IP address that initiates the encrypted tunnel. By using
option 121 to route VPN traffic through the DHCP server, the attack diverts the
data to the DHCP server itself. Researchers from Leviathan Security explained:

Advertisement


> Our technique is to run a DHCP server on the same network as a targeted VPN
> user and to also set our DHCP configuration to use itself as a gateway. When
> the traffic hits our gateway, we use traffic forwarding rules on the DHCP
> server to pass traffic through to a legitimate gateway while we snoop on it.
> 
> We use DHCP option 121 to set a route on the VPN user’s routing table. The
> route we set is arbitrary and we can also set multiple routes if needed. By
> pushing routes that are more specific than a /0 CIDR range that most VPNs use,
> we can make routing rules that have a higher priority than the routes for the
> virtual interface the VPN creates. We can set multiple /1 routes to recreate
> the 0.0.0.0/0 all traffic rule set by most VPNs.
> 
> Pushing a route also means that the network traffic will be sent over the same
> interface as the DHCP server instead of the virtual network interface. This is
> intended functionality that isn’t clearly stated in the RFC. Therefore, for
> the routes we push, it is never encrypted by the VPN’s virtual interface but
> instead transmitted by the network interface that is talking to the DHCP
> server. As an attacker, we can select which IP addresses go over the tunnel
> and which addresses go over the network interface talking to our DHCP server.
> 
> Enlarge / A malicious DHCP option 121 route that causes traffic to never be
> encrypted by the VPN process.
> Leviathan Security
> 
> We now have traffic being transmitted outside the VPN’s encrypted tunnel. This
> technique can also be used against an already established VPN connection once
> the VPN user’s host needs to renew a lease from our DHCP server. We can
> artificially create that scenario by setting a short lease time in the DHCP
> lease, so the user updates their routing table more frequently. In addition,
> the VPN control channel is still intact because it already uses the physical
> interface for its communication. In our testing, the VPN always continued to
> report as connected, and the kill switch was never engaged to drop our VPN
> connection.

The attack can most effectively be carried out by a person who has
administrative control over the network the target is connecting to. In that
scenario, the attacker configures the DHCP server to use option 121. It’s also
possible for people who can connect to the network as an unprivileged user to
perform the attack by setting up their own rogue DHCP server.

Advertisement


The attack allows some or all traffic to be routed through the unencrypted
tunnel. In either case, the VPN application will report that all data is being
sent through the protected connection. Any traffic that’s diverted away from
this tunnel will not be encrypted by the VPN and the Internet IP address
viewable by the remote user will belong to the network the VPN user is connected
to, rather than one designated by the VPN app.

Interestingly, Android is the only operating system that fully immunizes VPN
apps from the attack because it doesn't implement option 121. For all other
OSes, there are no complete fixes. When apps run on Linux there’s a setting that
minimizes the effects, but even then TunnelVision can be used to exploit a side
channel that can be used to de-anonymize destination traffic and perform
targeted denial-of-service attacks. Network firewalls can also be configured to
deny inbound and outbound traffic to and from the physical interface. This
remedy is problematic for two reasons: (1) a VPN user connecting to an untrusted
network has no ability to control the firewall and (2) it opens the same side
channel present with the Linux mitigation.

The most effective fixes are to run the VPN inside of a virtual machine whose
network adapter isn’t in bridged mode or to connect the VPN to the Internet
through the Wi-Fi network of a cellular device. The research, from Leviathan
Security researchers Lizzie Moratti and Dani Cronce, is available here.


ARS VIDEO


WHAT HAPPENS TO THE DEVELOPERS WHEN AI CAN CODE? | ARS FRONTIERS




READER COMMENTS

264
Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he
oversees coverage of malware, computer espionage, botnets, hardware hacking,
encryption, and passwords. In his spare time, he enjoys gardening, cooking, and
following the independent music scene.

Advertisement



PROMOTED COMMENTS

mktogeek
I think it's important to clarify the use of the term "VPN" here. This affects
"VPNs" used for anonymizing internet traffic or for geofence defeating on
streaming services and such. It should not impact VPNs used to access private
networks via the Internet.

For example, if you use a VPN to connect to your home network and access
machines inside your LAN that are not directly exposed to the internet, this
won't affect that at all. It only affects VPN setups that redirect all Internet
traffic via the VPN.

You may also be able to partially defeat it by not using a /0 route. You could
instead do four routing entries with /2 networks. Of course, if the hacker sets
up their network the same way, this could also be defeated.
May 6, 2024 at 8:59 pm



CHANNEL ARS TECHNICA

UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO

Today "Quantum Leap" series creator Donald P. Bellisario joins Ars Technica to
answer once and for all the lingering questions we have about his enduringly
popular show. Was Dr. Sam Beckett really leaping between all those time periods
and people or did he simply imagine it all? What do people in the waiting room
do while Sam is in their bodies? What happens to Sam's loyal ally Al? 30 years
following the series finale, answers to these mysteries and more await.

 * UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO

 * UNSOLVED MYSTERIES OF WARHAMMER 40K WITH AUTHOR DAN ABNETT

 * SITREP: F-16 REPLACEMENT SEARCH A SIGNAL OF F-35 FAIL?

 * SITREP: BOEING 707

 * STEVE BURKE OF GAMERSNEXUS REACTS TO THEIR TOP 1000 COMMENTS ON YOUTUBE

 * MODERN VINTAGE GAMER REACTS TO HIS TOP 1000 COMMENTS ON YOUTUBE

 * HOW THE NES CONQUERED A SKEPTICAL AMERICA IN 1985

 * SCOTT MANLEY REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * HOW HORROR WORKS IN AMNESIA: REBIRTH, SOMA AND AMNESIA: THE DARK DESCENT

 * LGR'S CLINT BASINGER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * THE F-35'S NEXT TECH UPGRADE

 * HOW ONE GAMEPLAY DECISION CHANGED DIABLO FOREVER

 * UNSOLVED MORTAL KOMBAT MYSTERIES WITH DOMINIC CIANCIOLO FROM NETHERREALM
   STUDIOS

 * US NAVY GETS AN ITALIAN ACCENT

 * HOW AMAZON’S “UNDONE” ANIMATES DREAMS WITH ROTOSCOPING AND OIL PAINTS

 * FIGHTER PILOT BREAKS DOWN EVERY BUTTON IN AN F-15 COCKPIT

 * HOW NBA JAM BECAME A BILLION-DOLLAR SLAM DUNK

 * LINUS "TECH TIPS" SEBASTIAN REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * HOW ALAN WAKE WAS REBUILT 3 YEARS INTO DEVELOPMENT

 * HOW PRINCE OF PERSIA DEFEATED APPLE II'S MEMORY LIMITATIONS

 * HOW CRASH BANDICOOT HACKED THE ORIGINAL PLAYSTATION

 * MYST: THE CHALLENGES OF CD-ROM | WAR STORIES

 * MARKIPLIER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * HOW MIND CONTROL SAVED ODDWORLD: ABE'S ODDYSEE

 * BIOWARE ANSWERS UNSOLVED MYSTERIES OF THE MASS EFFECT UNIVERSE

 * CIVILIZATION: IT'S GOOD TO TAKE TURNS | WAR STORIES

 * SITREP: DOD RESETS BALLISTIC MISSILE INTERCEPTOR PROGRAM

 * WARFRAME'S REBECCA FORD REVIEWS YOUR CHARACTERS

 * SUBNAUTICA: A WORLD WITHOUT GUNS | WAR STORIES

 * HOW SLAY THE SPIRE’S ORIGINAL INTERFACE ALMOST KILLED THE GAME | WAR STORIES

 * AMNESIA: THE DARK DESCENT - THE HORROR FACADE | WAR STORIES

 * COMMAND & CONQUER: TIBERIAN SUN | WAR STORIES

 * BLADE RUNNER: SKINJOBS, VOXELS, AND FUTURE NOIR | WAR STORIES

 * DEAD SPACE: THE DRAG TENTACLE | WAR STORIES

 * TEACH THE CONTROVERSY: FLAT EARTHERS

 * DELTA V: THE BURGEONING WORLD OF SMALL ROCKETS, PAUL ALLEN'S HUGE PLANE, AND
   SPACEX GETS A CRUCIAL GREEN-LIGHT

 * CHRIS HADFIELD EXPLAINS HIS 'SPACE ODDITY' VIDEO

 * THE GREATEST LEAP, EPISODE 1: RISK

 * ULTIMA ONLINE: THE VIRTUAL ECOLOGY | WAR STORIES

More videos
← Previous story Next story →


RELATED STORIES

by Taboolaby Taboola
Sponsored LinksSponsored Links
Promoted LinksPromoted Links
Treppenlifte | Gesponserte Links

Neue mobile Treppenlifte erfordern keine Installation (siehe die
Liste)Treppenlifte | Gesponserte Links
Hier klicken


Undo
Mobile Treppenlifte | Gesponserte Links

Neue mobile Treppenlifte erfordern keine InstallationMobile Treppenlifte |
Gesponserte Links
Mehr erfahren


Undo
Treppenlift-Vergleich

Kein Scherz: So kosten Treppenlifte fast nichtsTreppenlift-Vergleich
Mehr erfahren


Undo
Arbeitshandschuhe | Gesponserte links

Top-Arbeitshandschuhe zu Hammerpreisen – bis zu 50% Rabatt! Mehr
dazu!Arbeitshandschuhe | Gesponserte links
Mehr erfahren


Undo
Checkfox | Treppenlifte

Kein Scherz: So wenig kosten Treppenlifte 2024 wirklichCheckfox | Treppenlifte


Undo
Ortho Pro™

7 Gründe warum Sie diese orthopädischen Schuhe benötigen!Ortho Pro™


Undo



TODAY ON ARS

 * Store
 * Subscribe
 * About Us
 * RSS Feeds
 * View Mobile Site

 * Contact Us
 * Staff
 * Advertise with us
 * Reprints


NEWSLETTER SIGNUP

Join the Ars Orbital Transmission mailing list to get weekly updates delivered
to your inbox. Sign me up →



CNMN Collection
WIRED Media Group
© 2024 Condé Nast. All rights reserved. Use of and/or registration on any
portion of this site constitutes acceptance of our User Agreement (updated
1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars
Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from
links on this site. Read our affiliate link policy.
Your California Privacy Rights | Manage Preferences
The material on this site may not be reproduced, distributed, transmitted,
cached or otherwise used, except with the prior written permission of Condé
Nast.
Ad Choices





WE CARE ABOUT YOUR PRIVACY

We and our 170 partners store and/or access information on a device, such as
unique IDs in cookies to process personal data. You may accept or manage your
choices by clicking below or at any time in the privacy policy page. These
choices will be signaled to our partners and will not affect browsing data.More
information about your privacy


WE AND OUR PARTNERS PROCESS DATA TO PROVIDE:

Use precise geolocation data. Actively scan device characteristics for
identification. Store and/or access information on a device. Personalised
advertising and content, advertising and content measurement, audience research
and services development. List of Partners (vendors)

I Accept
Show Purposes