A new vulnerability in VPN applications has been discovered that could compromise the security of millions of users worldwide. The attack, known as TunnelVision, has been found to affect almost all VPN apps, rendering them useless against malicious actors. The vulnerability has been found to exist since 2002 and may have already been exploited in the wild.
Researchers have discovered that the attack can be performed by setting up a rogue DHCP server, allowing attackers to route some or all traffic through an unencrypted tunnel. The VPN application will still report that the data is being sent through the protected connection, but in reality, it is not. The attack can be performed by anyone who can connect to the network as an unprivileged user. The only way to prevent such attacks is to use a VPN that runs on Linux or Android.
TunnelVision
In May 2024, a novel attack against virtually all VPN apps was discovered by security researchers. The attack, known as TunnelVision, renders the entire purpose of VPNs useless by forcing them to send and receive some or all traffic outside of the encrypted tunnel designed to protect it from snooping or tampering.
Technical Breakdown of the Attack
The TunnelVision vulnerability has existed since 2002 and may already be known to attackers. It involves the use of a rogue DHCP server to trick the VPN app into routing traffic outside of the encrypted tunnel. The attacker can set up their own DHCP server on a network to send a malicious IP address to the VPN client. The VPN client then sends all traffic to the attacker’s IP address, which is not encrypted, exposing the user’s data to potential eavesdropping and tampering.
Implications for VPN Users
The researchers believe that the attack affects all VPN applications when they are connected to a hostile network. There are no ways to prevent such attacks except when the user’s VPN runs on Linux or Android. The attack technique may have been possible since 2002 and may already have been discovered and used in the wild since then.
VPN users who are concerned about the vulnerability should take measures to protect themselves, such as using a VPN that runs on Linux or Android, or avoiding using VPNs on hostile networks. It is also important to keep VPN software up to date and to follow best practices for online security, such as using strong passwords and avoiding public Wi-Fi networks.
Analysis of Affected VPN Applications
Survey of Compromised VPN Services
The recent attack against virtually all VPN apps has brought to light the vulnerabilities of many popular VPN services. According to Ars Technica, the attack affects almost all VPN applications when connected to a hostile network. The researchers behind the attack believe that there are no ways to prevent such attacks except when the user’s VPN runs on Linux or Android.
In a survey of compromised VPN services, it was found that the attack could force VPN apps to send and receive some or all traffic outside of the encrypted tunnel. This means that users’ sensitive information could be intercepted and compromised. Some of the VPN services affected include ExpressVPN, NordVPN, and Private Internet Access.
Security Measures Bypassed
The attack against VPN apps bypasses many security measures that VPN services use to protect user data. Normally, VPNs work by setting the routing to go over the VPN network itself. However, the attack targets the routing tables of the device, forcing it to send and receive some or all traffic outside of the encrypted tunnel.
The attack can also be carried out by setting up a rogue DHCP server, allowing unprivileged users to perform the attack and route traffic through an unencrypted tunnel. This allows attackers to intercept sensitive information such as login credentials, credit card numbers, and other sensitive data.
Industry Response
Following the discovery of the TunnelVision vulnerability that affects virtually all VPN applications, the industry has responded with official statements and security patches.
Official Statements from VPN Providers
Many VPN providers have issued official statements in response to the TunnelVision vulnerability. ExpressVPN, for example, has acknowledged the vulnerability and assured its users that it has already taken action to mitigate the risk. The company has released a security update that addresses the issue and advised its users to update their VPN clients as soon as possible.
Similarly, NordVPN has also released a statement acknowledging the vulnerability and has stated that it has already implemented security measures to protect its users. The company has advised its users to update their VPN clients and assured them that their data remains secure.
Security Patches and Updates
In response to the TunnelVision vulnerability, many VPN providers have released security patches and updates to address the issue. These patches and updates aim to prevent the vulnerability from being exploited and ensure that users’ data remains secure.
For example, Private Internet Access (PIA) has released a security update that addresses the vulnerability and has advised its users to update their VPN clients as soon as possible. The company has also assured its users that their data remains secure and that it is committed to providing a secure VPN service.
Similarly, CyberGhost VPN has also released a security update that addresses the vulnerability and has advised its users to update their VPN clients. The company has also stated that it takes the security of its users’ data very seriously and is committed to providing a secure VPN service.
