That's why half decent VPN apps also add firewall rules to prevent leakage. Although nothing can beat Linux and shoving the real interface in a namespace so it's plainly not available to anything except the VPN process.
Yes, I don't agree with the no way to mitigate statement.
I suspect on windows the only real defence is something like.
Check if the network has suspicious multiple routes setup from the DHCP
If so, either use the IP/Mask/Gateway with manual IP config (to not receive the CIDR routes) or steer clear of an at best questionable network entirely.
Maybe use the windows firewall to block all traffic outbound EXCEPT from the firewall program (with perhaps exceptions for local networks as per below linux example). For whatever reason the windows firewall doesn't seem to have a way to specify an interface. But you can specify a program.
I did look for some way to control Window's handling of DHCP options. But it seems there isn't anything obvious to limit this otherwise. I do not know if the windows firewall has this kind of fine-grained control with its own fire
For linux, I used to have my own blackout firewall rules. That only allowed the specific LAN range (for mobile use you could include all RFC1918 ranges) and the specific VPN IP out of the internet facing interface. Only the VPN interface could otherwise access the internet.
Some providers have managed to make split tunnelling work fine so those I suspect are not affected because they override the routing at the driver level. It's really only the kinda lame OpenVPN wrappers that would be affected. When you have the custom driver, you can affect the routing. It's been a while since I've tested this stuff on Windows since obviously I haven't been paid to do that for 6 years, but yeah I don't even buy that all providers are affected and that it's unfixable. We had workarounds for that when I joined PIA already so it's probably been a known thing for at least a decade.
The issues we had is sometimes you could get the client to forget to remove the firewall rules or to add back the routes and it would break people's internet entirely. Not great but a good problem to have in context.
No. Any device that implements a certain DHCP feature is vulnerable. Linux doesn't support it, because most Linux systems don't even use DHCP at all let alone this edge case feature. And Android doesn't support it because it inherited the Linux network stack.
I would bet some Linux systems are vulnerable, just not with the standard network packages installed. If you're issued a Linux laptop for work, wouldn't be surprised if it has a package that enables this feature. It essentially gives sysadmins more control over how packets are routed for every computer on the LAN.
WTF are you smoking? WTF is wrong with you that you think such a dumb claim would go unscrutinized? I would play Russian roulette on the chances of a random Linux installation on a random network talking DHCP.
Edit, in case being charitable helps: DNS and IP address allocation aren't the only things that happen over DHCP. And even then the odds are overwhelming that those are being broadcast that way.
(…) the entire purpose and selling point of VPNs, which is to encapsulate incoming and outgoing Internet traffic in an encrypted tunnel and to cloak the user’s IP address.
No. That is not the entire point of a VPN. That’s just what a few shady companies are claiming to scam uninformed users into paying for a useless service. The entire point of a VPN is to join a private network (i.e. a network that is not part of the Internet) over the public internet, such as connecting to your company network from home. Hence the name ‘virtual private network’.
There are very little, if any, benefits to using a VPN service to browse the public internet.
that works, but a regular SOCKS proxy should do. for HTTP even a HTTP proxy. many VPN providers offer them too, btw.. may help with mitigating this attack vector.
Hate to rain on the Linux parade here, but didn't the article say: "There are no ways to prevent such attacks except when the user's VPN runs on Android." and that Linux was just as vulnerable as Windows?
Interestingly, Android is the only operating system that fully immunizes VPN apps from the attack because it doesn't implement option 121. For all other OSes, there are no complete fixes. When apps run on Linux there’s a setting that minimizes the effects, but even then TunnelVision can be used to exploit a side channel that can be used to de-anonymize destination traffic and perform targeted denial-of-service attacks.
Interestingly, Android is the only operating system that fully immunizes VPN apps from the attack because it doesn't implement option 121. For all other OSes, there are no complete fixes. When apps run on Linux there’s a setting that minimizes the effects, but even then TunnelVision can be used to exploit a side channel that can be used to de-anonymize destination traffic and perform targeted denial-of-service attacks.
But in the details this attack is not that bad. E.g. NordVPN and I guess also other VPNs use firewall rules to drop traffic on normal network interfaces.
Their side channel is still routing traffic away from the VPN channel. Then they can observe that there is no traffic and guess that the user either didn't make requests in that moment or that he wanted to visit a website in the range covered by the route. They can not spy on the traffic.
Also you can not quickly move into a network and apply this attack, as DHCP leases usually last 1 day or at least 1 hour. Only when they expire you can apply the attack (or you force the user to drop from the network, which is easy if they are using WPA2, but only possible by blocking the wifi signal if they are using WPA3)
It is a serious issue and should be mitigated, but not as huge as news articles make it.
You can also use network namespaces on Linux which Wireguard has a nice explanation and walkthrough on, recommending this as part of setting up wg connections. https://www.wireguard.com/netns/
I saw that but unfortunately it doesn't detail how to set it up persistently on every boot. And I also haven't seen anybody using this method, probably because of the lack of tooling around it. For example afaik the official Mullvad client on linux just uses a firewall.
I use option 121 as part of my work, though I am not an expert on DHCP. This attack does make sense to me and it would be hard to work around given the legitimate uses for that option.
Adding routes for other thing on the network the clients can reach directly and remove some load from the router. For example, reaching another office location through a tunnel, you can add a route to 10.2.0.0/16 via 10.1.0.4 and the clients will direct the traffic directly at the appropriate gateway.
Arguably one should design the network such that this is not necessary but it's useful.
To be fair, any proper VPN setup that only relies on the routing table like this is flawed to begin with.
If the VPN program dies or the network interface disappears, the routes are removed aswell, allowing traffic to leave the machine without the VPN.
So it is already a good practice to block traffic where it shouldnt go (or even better, only allowing it where it should).
So if they are changing routes by using DHCP options, perhaps this could be exploited by telecom insiders when you are using mobile data, because your mobile data IP could be assigned by a DHCP server on the telecom network. If you're at home on wifi, then you can control your own DHCP server to prevent that.
The attack vector described in the article uses the VPN client machine's host network, i.e. the local network the device is attached to. They don't discuss the DHCP server of the VPN provider.
By pushing routes that are more specific than a /0 CIDR range that most VPNs use, we can make routing rules that have a higher priority than the routes for the virtual interface the VPN creates.
Most traffic gets sent through a VPN only because of a default gateway (set by the VPN) in the client's routing table. If the client's ISP were to have their DHCP server set one or more specific routes that are broad enough to cover most of the global address space, they would effectively override that default gateway. I believe that's the scenario described in the article.
Note that the "ISP" here could be a mobile operator, an internet cafe, an airport, someone running a wifi access point that looks like the airport's, or a guest on the same local network running an unauthorized DHCP server.
Most VPN providers don't use DHCP. OpenVPN emulates and hooks DHCP requests client-side to hand the OS the IP it got over the OpenVPN protocol in a more standard way (unless you use Layer 2 tunnels which VPN providers don't because it's useless for that use case). WireGuard doesn't support DHCP at all and it always comes from configuration.
The attack vector here seems to be public WiFi like coffee shops, airports, hotels and whatnot. The places you kinda do want to use a VPN.
On those, if they're not configured well such as coffee shops using consumer grade WiFi routers, an attacker on the same WiFi can respond to the DHCP request faster than the router or do an ARP spoof attack. The attacker can proxy the DHCP request to make sure you get a valid IP but add extra routes on top.
My understanding is that if you run a rogue discoverable DHCP server in a local network with a particular set of options set and hyper-specific routing rules, you can clobber the routing rules set by the VPN software on any non-Android device, and route all traffic from those devices through arbitrary midpoints that you control.
But IANANE (I am not a network engineer) so please correct my misinterpretations.
Exactly. And if your ISP or cellular provider wants, or is forced, to gather information about your internet activities, they can almost certainly find a way. The cheap consumer-grade VPN services most of us use just prevent casual or automated observers from easily detecting your device's IP address. For most people that just want to torrent casually or use public wifi, it's enough.
(obligatory I'm not a network surgeon this is likely not perfectly correct)
The article mentions network interfaces, DHCP and gateways so real quick: a network interface usually represents a physical connection to a network, like an Ethernet port or a WiFi card. DHCP is a protocol that auto configured network routes and addresses once a physical connection is established, like when you jack in via an ethernet cable, it tells you the IP address you should go by, the range of IP address on the network you've connected to, where you can resolve domain names to IP addresses. It also tells you the address of a default gateway to route traffic to, if you're trying to reach something outside of this network.
You can have more than one set of this configuration. Your wired network might tell you that your an address is 10.0.0.34, anything that starts with 10.0.0. is local, and to talk to 10.0.0.254 if you're trying to get to anything else. If at the same time you also connect to a wireless network, that might tell you that your address is 192.168.0.69, 192.168.0.* is your local network, and 192.168.0.254 is your gateway out. Now your computer wants to talk to 4.2.2.2. Should it use the wireless interface and go via 192.168.0.254? or the wired one and use 10.0.0.254? Your os has a routing table that includes both of those routes, and based on the precedence of the entries in it, it'll pick one.
VPN software usually works by creating a network interface on your computer, similar to an interface to a WiFi card, but virtual. It then asks the OS to route all network traffic, through the new interface it created. Except of course traffic from the VPN software, because that still needs to get out to the VPN provider (let's say, at 1.3.3.7) via real Internet.
So if you're following along at home, your routing table at this point might look like this:
traffic to 1.3.3.7 should go to 10.0.0.254 via the wired interface
all traffic should go to the VPN interface
traffic to 10.0.0.* should go to the wired interface
all traffic should go to 10.0.0.254 via the wired interface
traffic to 192.168.0.* should go to the wireless interface
all traffic should go to 192.168.0.254 via the wireless interface
whenever your os wants to send network packets, it'll go down this list of rules until one applies. With that VPN turned on, most of the time, only those two first rules will ever apply.
If I'm reading the article correctly, what this attack does, is run a DHCP server, that when handing out routing rules, will send one with a flag that causes, for example, the last two rules to be placed at the top of the list instead of the bottom. Your VPN will still be on, the configuration it's requested the OS to make would still be in place, and yet all your traffic will be routed out to this insecure wireless network that's somehow set itself as the priority route over anything else.
That actually lays it out incredibly well for me. So in practice, what would I need to look out for as a wired desktop Ubuntu user with mullvad? It's sounding like this is going to be an issue on public networks, is this something my isp can do to me at home?
It all depends on how much you trust the devices on your LAN. So your ISP can't do anything unless they own and control your router, since that is on your LAN. So one concern might be if you connect your PC to coffee shop wifi, since all other devices in the shop are on the same LAN, not to mention the coffee shop owns the wifi router and can also perform the attack. Another concern might be if a family member in your house has a device that got hacked, then all devices in your house are vulnerable.
Researchers have devised an attack against nearly all virtual private network applications that forces them to send and receive some or all traffic outside of the encrypted tunnel designed to protect it from snooping or tampering.
TunnelVision, as the researchers have named their attack, largely negates the entire purpose and selling point of VPNs, which is to encapsulate incoming and outgoing Internet traffic in an encrypted tunnel and to cloak the user’s IP address.
The attack works by manipulating the DHCP server that allocates IP addresses to devices trying to connect to the local network.
A setting known as option 121 allows the DHCP server to override default routing rules that send VPN traffic through a local IP address that initiates the encrypted tunnel.
When apps run on Linux there’s a setting that minimizes the effects, but even then TunnelVision can be used to exploit a side channel that can be used to de-anonymize destination traffic and perform targeted denial-of-service attacks.
This remedy is problematic for two reasons: (1) a VPN user connecting to an untrusted network has no ability to control the firewall and (2) it opens the same side channel present with the Linux mitigation.
The original article contains 903 words, the summary contains 196 words. Saved 78%. I'm a bot and I'm open source!