A recent attack named TunnelVision has been developed by researchers that targets nearly all virtual private network (VPN) applications. This attack manipulates the VPN applications to send and receive traffic outside of the encrypted tunnel meant to protect it from eavesdropping or tampering.
TunnelVision undermines the main purpose of VPNs, which is to secure internet traffic by encrypting it and hiding the user’s IP address. The researchers suggest that when connected to a hostile network, all VPN applications are vulnerable to this attack, with the exception of those running on Linux or Android. The researchers also believe that this attack method may have been possible since 2002 and could have been used in the wild.
The attack works by exploiting the Dynamic Host Configuration Protocol (DHCP) server that assigns IP addresses to devices connecting to the network. By using a setting called option 121, the attacker can divert VPN traffic through the DHCP server, exposing it to interception or modification. The attack can be performed by setting up a rogue DHCP server on the network or gaining administrative control over it.
While Android is immune to this attack due to its implementation, other operating systems have no complete fixes. There are some mitigations for Linux OS, but they are not foolproof. The researchers recommend running the VPN inside a virtual machine or connecting to the internet through a cellular device’s Wi-Fi network to prevent this attack.
For further details on TunnelVision and the research conducted by Leviathan Security, refer to their blog post.
