Stumbled across this today;
There’s a link to the research at the end of the article.
From my very limited understanding this does not sound like a vulnerability in VPN protocols/encryption, but more of a clever routing table modification via DHCP options to make the operating system’s network stack bypass the encrypted tunnel altogether, but I could be wrong.
In the linked research article, they mention that firewall rules can be an effective mitigation, and state that a variety of VPN providers are using them.
Can IVPN share any insight on this issue and possible mitigations (if any) for affected operating systems?
Thanks for query, we will review the findings and respond in this thread.
To exploit the vulnerability in question an attacker needs to connect to the same local network as the target, and act as a DHCP server. This allows them to modify routing tables and control traffic routing. This way they may route traffic outside of the VPN tunnel, bypassing the routing rules defined by the VPN client. As this vulnerability alters the routing table, it is not a discrete attack, if you can check your routing table you can tell whether the network is compromised.
Overview of our findings regarding IVPN apps:
a. IVPN Android app is not affected.
b. IVPN iOS app is potentially affected based on our assessment, and “Block LAN traffic” option enabled in the app does not mitigate the issue. Actions you can take if you are concerned about the attack:
- Avoid connecting to public/untrusted networks
- Do not use IVPN on iOS
c. For IVPN desktop apps we have a firewall functionality that blocks all traffic going outside the VPN interface. With the default configuration, IVPN users are not affected by this vulnerability. However, the vulnerability might affect you if:
- Firewall functionality is disabled
- Firewall is configured to allow LAN communication, or if there are custom firewall exceptions defined
If you are concerned about this issue we suggest always using the built-in firewall in the desktop apps with default configuration.
Is this exploit or vulnerability that major of a deal because most enterprises that utilize VPN’s, the applications that work over that VPN are already encrypted in transit these days? So the VPN tunnel is compromised and the attackers DHCP server/default GW that is brokering this traffic has full visibility now BEFORE it is encrypted on that VPN tunnel, but if everything the user is accessing that would go through that VPN tunnel is HTTPS/encrypted applications (ldaps) etc… WITHIN that broken VPN tunnel now, does it really mean much these days?
Just added my thoughts on that, and suggested open source projects that can help reduce the attack surface for developers and security teams in the future: https://otterize.com/blog/moving-beyond-perimeter-security
With regards to b;
I purchased IVPN exclusively for iOS/iPadOS devices. Android is not an alternative, due to the applications I use.
You’re basically telling me to stop using your service (or, in a wider sense, to not bother with commercial VPNs at all on this platform). Has anyone at least attempted to escalate this issue with Apple?
I’ve only been able to find this on Apple developer channels; Fix for TunnelVision attack, or di… | Apple Developer Forums
Is this exploit or vulnerability that major of a deal
It depends. I believe there are applications without encryption impacted, I do have developer asked me why need to encrypt the web traffics for internal network (including VPN) despite it is trusted.
Yes, we are suggesting stopping using our service and any other VPN application on iOS if your threat model includes protection against sophisticated attackers who can be in a position to connect to the same local network you are on. For now, today, it’s the best we can do, and also more prudent than any other action (silence/denial/etc).
I’m just going to use password protected wifi at home and cellular data everywhere else. Public wifi is nice, but many people can just use their unlimited cellular data anyways.
There in, you have removed yourself from 99% of their attack surface…