Cybersecurity researchers at Leviathan Security have identified a potential major security problem surrounding VPN services.
The team recently discovered a vulnerability that forces almost all such apps to send and receive traffic outside the VPN tunnel, which is essentially their entire purpose.
The findings on the flaw, called TunnelVision, were published in a blog post, which also states that there is no simple solution to the problem so far. It is further claimed that the vulnerability has existed since 2002 and it is highly likely that hackers have already found it in the wild and exploited it.
Tunnel vision
According to the blog post, if the attacker has control over the network the victim connects to, they can configure the DHCP server that assigns IP addresses. Malicious entities connecting as unauthorized users can also set up their own DHCP server, with the same result.
This feature is called “option 121” and allows the server to override the default routing rules that send VPN traffic through a local IP address that activates the encrypted tunnel. Consequently, all traveling data goes to the DHCP server itself, is not encrypted by the VPN, and is visible to the attacker.
VPN apps running on most popular operating systems today are all vulnerable, the researchers said. They noticed one limitation and saw a solution for Linux. However, the mitigation opens up the possibility of a side-channel attack, which is a major vulnerability in itself.
Removing support for DHCP isn’t the solution either, “as it could break internet connectivity in some legitimate cases,” she added. “The strongest recommendation we have is that VPN providers implement network namespaces on operating systems that support them,” the researchers concluded. Android is the only operating system not affected by this flaw, as it does not initially implement option 121.