Tunnelvision: Attackers can bypass VPNs and redirect data

Contents

If you are in an untrusted network environment, use a VPN – is a much-quoted security mantra. A team of two researchers has now discovered a way to analyze data traffic despite a VPN. The trick: By interfering with the victim's routing, they simply route the data traffic past the VPN. Under certain circumstances, attackers can thus obtain unencrypted data packets from their victims. The attack works if the victim and attacker are in the same local network (LAN), but is difficult to detect. Only Android is not inherently vulnerable – other operating systems require additional protective measures.

All VPNs that the researchers have tested are affected by the "TunnelVision" vulnerability – They claim to have informed over 50 manufacturers about the security problem. The starting point for the attack is "Option 121", introduced in 2002, in the Dynamic Host Configuration Protocol (DHCP), which regulates the dynamic allocation of IP addresses. A DHCP server can use this option to provide devices with routing information in addition to their IP address in order to send data traffic to a specific target network via a route other than the standard route.

If the user – uses a VPN in an unsecured hotel WLAN –, for example, all data packets are first encrypted before they leave his computer in the direction of the VPN gateway. This decrypts them and forwards them to their actual recipient addresses. Under normal conditions, an opponent in an insecure WLAN can snoop on packets but cannot crack the VPN encryption. However, if he controls the responsible DHCP server, he can simply command end devices to send their data past the VPN. To do this, it sends the DHCP option 121 with a corresponding route –, for example, to redirect all DNS queries. The VPN's own encryption is omitted, but the VPN connection is maintained so that the user is unaware of the attack.

The DHCP server is normally under the control of the system administrator and cannot be manipulated by third parties. Nevertheless, an attacker could infiltrate a second DHCP server into the LAN – but he must silence the actual, "authoritative" DHCP server. The simplest method is probably to request IP addresses en masse from this server until its address pool is exhausted. The infiltrated DHCP server can then jump into the breach and allocate addresses itself. Once it has bound the target device to itself, it redirects its traffic before VPN encryption has taken place and can then read it.

If the data traffic is already encrypted before it is routed to the VPN, as is the case when accessing websites via https, for example, this encryption remains in place; the attacker cannot read the plain text data. However, they can determine which destinations the victim is visiting, which can have devastating consequences.

Anyone can play DHCP

The basic problem with Tunnelvision is that there is no DHCPsec. DHCP servers do not authenticate themselves to their clients; the winner is the one who assigns an IP address to the user the fastest. A draft method for securing DHCP was proposed in 1997 by the then Intel employee Baiju V. Patel, but nothing came of it. An RFC 3118 proposed in 2001 does recognize a rudimentary form of DHCP authentication, but this only protects against accidental collisions between several DHCP servers and not against deliberate attacks.

The Tunnelvision attack succeeds even if the VPN connection already exists. The attacker only has to wait until the end device to be attacked has to renew the assignment of its IP address and send a corresponding request to the DHCP server. Leviathan Security has reproduced the problem with Windows, Linux, iOS and MacOS – but the attack does not work with Android because Android ignores the DHCP option 121.

Remedy: Partition, block, ignore

Android users have it particularly easy: as the mobile operating system simply ignores the DHCP option 121, it is not susceptible to TunnelVision. However, users of other operating systems must take countermeasures to avoid falling into the trap. The team of authors from Leviathan Security suggests various steps for users and VPN providers.

Those who value anonymity and privacy should avoid connections to untrusted networks, use their smartphone's hotspot function or establish a VPN connection via a virtual machine without a bridged network adapter. VPN providers can use additional technical measures to protect their customers.

Linux has known so-called network namespaces since kernel 2.6.24 (2008). This allows the network to be partitioned in such a way that the Tunnelvision attack no longer leads to the disclosure of unencrypted data traffic. However, a device partitioned in this way cannot access resources in the LAN.

Otherwise, it may be possible to secure the VPN connection using classic firewall rules so that data packets are not dropped via the VPN. However, even this is not complete protection, according to the researchers: With a statistical side-channel attack, it is still possible to draw conclusions about IP addresses that the victim is accessing. To do this, however, the attacker must be able to intercept the data traffic, for example in an unencrypted WLAN.

Is this even a security vulnerability?

The discovery is not entirely new. The German hacker jomo pointed out the redirection procedure using DHCP option 121 back in 2017 and warned that it compromises VPN data traffic.

The Leviathan team, consisting of Lizzie Moratti and Dani Cronce, has now discussed the problem in detail for the first time (including a proof of concept video, lab setup code and DHCP server image). Leviathan has also obtained the CVE number CVE-2024-3661 (Common Vulnerabilities and Exposures).

The two researchers admit that Tunnelvision does not necessarily have to be seen as a security vulnerability. After all, the attack is based on an option that works as it was designed. Nevertheless, VPN operators as well as operating system developers and system administrators are challenged. It is more important than ever to avoid public WLAN hotspots. After all, all it takes for an attack to be successful is for the attacker to be on the same network.

Prior to publication, Leviathan Security informed several dozen well-known VPN providers, also with the help of the Electronic Frontier Foundation (EFF) and the US cyber security authority CISA. The researchers fear that the redirection with DHCP option 121 may have been practiced since 2002. As a next step, the researchers plan to publish their "ArcaneTrickster" tool, which should make attacks much easier and convince the last doubters in the VPN industry.

Empfohlener redaktioneller Inhalt

Mit Ihrer Zustimmmung wird hier ein externes YouTube-Video (Google Ireland Limited) geladen.

YouTube-Video immer laden YouTube-Video jetzt laden

Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (Google Ireland Limited) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.

Attackers see virtual private networks as a worthwhile target. Crafty cyber crooks had infiltrated Ivanti VPN appliances so deeply that CISA had them taken offline by decree. The US authorities suspect that the intruders from "Volt Typhoon" are in the pay of the Chinese government.

(ds)