Skip to content

Novel TunnelVision attack decloaks VPN traffic, poses security threats

  • by
  • 3 min read

A new network technique called TunnelVision can bypass VPN encapsulation, posing a global privacy and security threat. This technique uses decloaking to leverage inherent features of the Dynamic Host Configuration Protocol (DHCP) to divert a target user’s network traffic away from their VPN tunnel, which results in the transmission of unencrypted packets, enabling malicious actors to intercept and analyse sensitive data without detection.

Experts uncovered that the vulnerability existed since 2002 and may have been exploited previously. Given the widespread adoption of VPNs and the limitations of research teams to individually notify affected parties, they decided on a public disclosure to mitigate this vulnerability.

“We believe it is critical for us to disclose publicly because notifying every VPN provider, operating system maintainer, self-hosted VPN admin, and VPN user is far beyond the capacity of our small research team,” said researchers.

The attacker first identifies a target user connected to a VPN within the same network segment, allowing direct interaction with the user’s network traffic. The attacker then sets up a rogue DHCP server masquerading as a legitimate DHCP server on the network. When the target user’s device sends a DHCP request for IP configuration settings, the rogue server responds, offering malicious DHCP configurations.

By leveraging DHCP Option 121, designed to specify static routes, the attacker injects malicious routing configurations into the target user’s network settings. This includes pushing more specific routes than most VPNs’ default /0 CIDR range, effectively directing the target user’s traffic outside the VPN’s encrypted tunnel.

TunnelVision attack methodology. | Source: Leviathan Security

The injected malicious routes redirect the target user’s network traffic through the attacker’s gateway instead of the intended VPN tunnel. This redirection occurs seamlessly, without triggering VPN control mechanisms, such as kill switches, maintaining the appearance of a normal VPN connection to the target user.

With the targeted user’s traffic routed through the attacker’s gateway, the attacker can intercept and analyse the unencrypted packets, exposing sensitive information, including website visits and communications, to potential compromise and surveillance.

The decloaking technique operates covertly, enabling the attacker to monitor the target user’s traffic discreetly without raising suspicion or triggering VPN security alerts. Despite the traffic diversion, the VPN control channel remains operational, giving the illusion of a secure connection from the target user’s viewpoint.

According to researchers, mitigation techniques include solutions for Linux-based systems. However, they may introduce side channels vulnerable to denial-of-service attacks and traffic analysis. These risks concern vulnerable users, such as journalists and whistleblowers, who rely on VPNs for communication security.

The most effective remedies include running the VPN within a virtual environment using a network adapter not set to bridged mode or linking the VPN to the internet through a WiFi network from a mobile device.

In the News: OpenAI introduces tool to identify DALL-E 3 images amid concerns

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>