A security firm is warning about “TunnelVision,” a technique to leak user data from a VPN. But several VPN companies say their services already include safeguards that block the threat. “Despite the alarmist claims by some tech publications, ‘virtually all VPN apps’ are NOT vulnerable to this exploit,” VPN provider Windscribe tweeted. This week, researchers at Seattle-based Leviathan Security Group disclosed TunnelVision, saying the problem has been around since 2002 and can lead to a “total VPN leak [and] doesn’t have a complete fix for most computers.”The threat involves abusing “routing tables,” or rules that dictate how traffic is transmitted over an internet network—a threat vector that other researchers have brought up. Leviathan Security discovered that an attacker can redirect a VPN user’s routing by rigging a rogue Dynamic Host Configuration Protocol (DHCP) server within a network. A feature on DHCP servers known as option 121 can be exploited to essentially unload the VPN traffic into an unencrypted lane.
“The result of this is the user transmits packets that are never encrypted by a VPN, and an attacker can snoop their traffic,” the company says. However, TunnelVision isn’t as dangerous as it may sound and your internet traffic won’t suddenly be exposed in plain text when connected to a VPN. That’s because most of your web traffic is already encrypted, even without a VPN, since your browser usually connects to websites using HTTPS encryption. Leviathan Security’s own FAQ on TunnelVision also acknowledges this. “If HTTPS traffic is decloaked it is still not possible to view the encrypted contents of the packet,” the company said. “However, it is still possible to see the destination and the protocol of the packet. Normally, that information would be inside the VPN protocol’s payload and encrypted.” The other issue is that Leviathan Security stopped short of identifying whether TunnelVision affects any VPN providers. Services including ExpressVPN, Mullvad, NordVPN, and Windscribe have all pushed back against the research, saying their products contain firewall rules and kill switches that can stop such traffic leaks from occurring.
This Tweet is currently unavailable. It might be loading or has been removed.
The VPN providers also stress that an attacker would need to set up a rogue DHCP server within a network —a huge hurdle to overcome if the hacker wants to do so at a major internet service provider or cellular network.As a result, ExpressVPN is telling its own users: “If you’re at home and no one has hacked your router, you’re safe. If you’re connecting by cellular network and not anyone else’s Wi-Fi, you’re safe. If the Wi-Fi network you’re joining is not controlled by a malicious actor, you’re safe. If you’re on a laptop and your kill switch is on, you’re safe. And so on. In practice it takes quite a combination of factors, all existing simultaneously, for this issue to present any risk at all.” Leviathan Security has also acknowledged that firewall rules within a VPN can mitigate the threat. However, the company argues that even with a firewall, TunnelVision can be exploited to act as a “side-channel,” resulting in a data leak that could give an attacker a way to determine which sites the VPN user is accessing.
Recommended by Our Editors
Matthew Harrigan, a Vice President at Leviathan Security, told PCMag this side-channel is a privacy weakness that VPN providers are neglecting to address. “TunnelVision itself is not an attack that is difficult to exploit,” he added. “We wrote a tool called ArcaneTrickster which also appears in our proof of concept demo video. This tool is not currently publicly available because we wanted to be intentionally careful with respect to releasing tools that make this attack accessible. In some scenarios, it would be as simple as bringing a device running ArcaneTrickster onto a network which would fully automate this exploit.” Despite the pushback from the VPN industry, Leviathan Security’s point seems to be that TunnelVision can erode one of the main marketing messages from VPN services—that using a VPN will always encrypt your internet connection, even over an untrusted network. “People who use VPNs and think they are completely protected on unsafe networks are wrong,” Leviathan Security wrote. “This includes people like journalists or activists who really need to keep their information safe. TunnelVision shows that just using a VPN isn’t enough. It also calls into question whether VPNs should make such promises at all.”In the meantime, the VPN providers caution that TunnelVision can pose more of a threat to iOS devices since Apple rules prevent the full creation of a VPN kill switch.
How a VPN Works
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.