We Thought VPNs Were Unhackable, But It Looks Like Hackers Can Spy on Them While You're Connected

  • The problem lies in a little-known option for the DHCP protocol.

  • Android devices are the only ones immune to this issue.

  • VPN service providers claim the risk is minimal, but as always, it’s best to avoid untrusted networks.

No comments Twitter Flipboard E-mail

Cybersecurity company Leviathan Security has discovered a new type of cyberattack called “Tunnel Vision.” This attack allows cyber attackers to route traffic out of an encrypted VPN connection and eavesdrop on it. With this method, hackers can make it appear like the VPN is still secure, even though it’s not.

According to the team at Leviathan Security, this is a significant security issue that needs to be addressed. The attack exploits the so-called “option 121” of the DHCP protocol, which is used by routers to dynamically assign IP addresses in a local area network.

To accomplish their objectives, attackers set up a secret DHCP server. This server modifies the routing tables so that all VPN traffic is directed toward the attackers’ desired destination, bypassing the legitimate VPN’s secure and encrypted tunnel.

In an updated report, the security company pointed out that the problem was first identified in 2015 but largely ignored at the time. With VPNs now more popular than ever, Leviathan stated that it was crucial to draw attention to this type of vulnerability. While the problem has been present since 2002, there have been no known cases of it being exploited.

Leviathan has notified many of the affected VPN providers, as well as organizations like CISA and EFF, who have committed to help the company raise awareness of the issue. The company has issued a public announcement about the vulnerability (CVE-2024-3661), along with a proof-of-concept video that shows how an attack could be carried out.

Am I at Risk?

According to the team at Leviathan, the problem can occur in networks controlled by a hacker or those where an hacker might already be hiding in the shadows. Public wi-fi networks in bars, restaurants, hotels, and airports are potential scenarios where attackers can exploit this vulnerability.

VPNs may be exposed in such cases because many of them are susceptible to routing manipulation and also have DHCP services enabled by default. However, for the attack to work, a user must connect to the secret DHCP server before connecting to the legitimate server on the network.

As reported, TunnelVision affects Windows, macOS, Linux, and iOS operating systems. However, interestingly enough, it doesn’t affect Android mobile devices because the 121 option is not supported on the operating system. This keeps Android phones and tablets safe from the cyberattack.

A user on Ars Technica explains that the issue only affects VPNs that are used to anonymize Internet traffic or to bypass geographic barriers of streaming services, also known as geofencing. According to this same user, people who use VPNs to access remote machines on the Internet shouldn’t be affected by TunnelVision.

“If you use a VPN to connect to your home network and access machines inside your LAN that are not directly exposed to the internet, this won't affect that at all. It only affects VPN setups that redirect all Internet traffic via the VPN,” the user clarifies.

VPN providers are expected to update their clients on these operating systems to implement mechanisms that ensure they use legitimate DHCP servers or include additional security controls. Providers like ExpressVPN claim that this issue has a “minimal impact” on their users. The teams at Windscribe and Mullvad seem to agree.

Meanwhile, users should avoid connecting to untrusted networks. There are some additional advanced measures, such as setting up special rules in their firewalls, that users can take to try to mitigate the problem. If you want to know more, you can check out Leviathan’s detailed study.

Home o Index