05-07-2024, 03:52 PM
I offer this under the heading "Mildly paranoid, but still real."
As it is reported, ever since about 2002 a vulnerability, referred to as "TunnelVision" existed within all VPN traffic which has not yet been directly addressed, and until now, not spoken of... Why not? I don't know.
From ArsTechnica: Novel attack against virtually all VPN apps neuters their entire purpose
Subtitled: TunnelVision vulnerability has existed since 2002 and may already be known to attackers.
I resent the term "novel" for a number of reasons. First this means that for over 20 years, everyone who thought themselves protecting their privacy was NEVER a reality. Second, the report "hints" that the vulnerability may be known to malicious actors... which leads me, at least, to presume that they "know" and "have known" - along with the very architects of DHCP protocols who inexplicably created the protocol which allows all VPN traffic to be redirected to whatever address they wish, unencrypted. Stop right there... we can't be certain that this was an intentionally implemented design feature for the benefit of "someone somewhere"... (there, I have theoretically protected "the man.")
Researchers have devised an attack against nearly all virtual private network applications that forces them to send and receive some or all traffic outside of the encrypted tunnel designed to protect it from snooping or tampering.
TunnelVision, as the researchers have named their attack, largely negates the entire purpose and selling point of VPNs, which is to encapsulate incoming and outgoing Internet traffic in an encrypted tunnel and to cloak the user’s IP address. The researchers believe it affects all VPN applications when they’re connected to a hostile network and that there are no ways to prevent such attacks except when the user's VPN runs on Linux or Android. They also said their attack technique may have been possible since 2002 and may already have been discovered and used in the wild since then.
It's an odd technical way to completely erase the functionality of the 'service' that so many have spent many millions on over the years... their 'peace of mind' has apparently only a notional value of "appearance."
The attack works by manipulating the DHCP server that allocates IP addresses to devices trying to connect to the local network. A setting known as option 121 allows the DHCP server to override default routing rules that send VPN traffic through a local IP address that initiates the encrypted tunnel. By using option 121 to route VPN traffic through the DHCP server, the attack diverts the data to the DHCP server itself.
Leviathan Security researchers mention in their work that ...
Pushing a route also means that the network traffic will be sent over the same interface as the DHCP server instead of the virtual network interface. This is intended functionality that isn’t clearly stated in the RFC. Therefore, for the routes we push, it is never encrypted by the VPN’s virtual interface but instead transmitted by the network interface that is talking to the DHCP server. As an attacker, we can select which IP addresses go over the tunnel and which addresses go over the network interface talking to our DHCP server.
[bolding is mine]
Here's a video explaining the vulnerability...
![[Image: TunnelVision_Diagram_DHCP_121_Reroute_Traffic.png]](https://cdn.arstechnica.net/wp-content/uploads/2024/05/TunnelVision_Diagram_DHCP_121_Reroute_Traffic.png)
As it is reported, ever since about 2002 a vulnerability, referred to as "TunnelVision" existed within all VPN traffic which has not yet been directly addressed, and until now, not spoken of... Why not? I don't know.
From ArsTechnica: Novel attack against virtually all VPN apps neuters their entire purpose
Subtitled: TunnelVision vulnerability has existed since 2002 and may already be known to attackers.
I resent the term "novel" for a number of reasons. First this means that for over 20 years, everyone who thought themselves protecting their privacy was NEVER a reality. Second, the report "hints" that the vulnerability may be known to malicious actors... which leads me, at least, to presume that they "know" and "have known" - along with the very architects of DHCP protocols who inexplicably created the protocol which allows all VPN traffic to be redirected to whatever address they wish, unencrypted. Stop right there... we can't be certain that this was an intentionally implemented design feature for the benefit of "someone somewhere"... (there, I have theoretically protected "the man.")
Researchers have devised an attack against nearly all virtual private network applications that forces them to send and receive some or all traffic outside of the encrypted tunnel designed to protect it from snooping or tampering.
TunnelVision, as the researchers have named their attack, largely negates the entire purpose and selling point of VPNs, which is to encapsulate incoming and outgoing Internet traffic in an encrypted tunnel and to cloak the user’s IP address. The researchers believe it affects all VPN applications when they’re connected to a hostile network and that there are no ways to prevent such attacks except when the user's VPN runs on Linux or Android. They also said their attack technique may have been possible since 2002 and may already have been discovered and used in the wild since then.
It's an odd technical way to completely erase the functionality of the 'service' that so many have spent many millions on over the years... their 'peace of mind' has apparently only a notional value of "appearance."
The attack works by manipulating the DHCP server that allocates IP addresses to devices trying to connect to the local network. A setting known as option 121 allows the DHCP server to override default routing rules that send VPN traffic through a local IP address that initiates the encrypted tunnel. By using option 121 to route VPN traffic through the DHCP server, the attack diverts the data to the DHCP server itself.
Leviathan Security researchers mention in their work that ...
Pushing a route also means that the network traffic will be sent over the same interface as the DHCP server instead of the virtual network interface. This is intended functionality that isn’t clearly stated in the RFC. Therefore, for the routes we push, it is never encrypted by the VPN’s virtual interface but instead transmitted by the network interface that is talking to the DHCP server. As an attacker, we can select which IP addresses go over the tunnel and which addresses go over the network interface talking to our DHCP server.
[bolding is mine]
Here's a video explaining the vulnerability...
on it's own... I'm glad you found a use for it!
