#tunnelvision

prplcdclnw@diasp.eu

TunnelVision: Decloaking Routing-Based VPNs

CVE-2024-3661

If you want to be safe, don't get DHCP service from anything but your own router. Don't connect to public WiFi anywhere. If you need to use a local network you don't control, connect your router to it and connect your device to your router so you get DHCP service from your router, not someone else's. It's also important that only your devices be allowed to connect to your router.

https://github.com/leviathansecurity/TunnelVision

TunnelVision is a local network VPN leaking technique that allows an attacker to read, drop, and sometimes modify VPN traffic from a targets (sic) on the local network. This technique does not activate kill-switches and does not have a full fix for every major operating system. We are using the built-in and widely supported feature DHCP option 121 to do this.\
\
Option 121 supports installing multiple routes with CIDR ranges. By installing multiple /1 routes an attacker can leak all traffic of a targeted user, or an attacker might choose to leak only certain IP addresses for stealth reasons. We're calling this effect decloaking.\
\
TunnelVision has been theoretically exploitable since 2002, but has gone publicly unnoticed as far as we can tell. For this reason, we are publishing broadly to make the privacy and security industry aware of this capability. In addition, the mitigation we've observed from VPN providers renders a VPN pointless in public settings and challenges VPN providers' assurances that a VPN is able to secure a user's traffic on untrusted networks.\
\
A fix is available on Linux when configuring the VPN users host to utilize network namespaces. However, we did not encounter its use outside of our own research. The best documentation we've found about that fix is available from WireGuard's team. It remains unclear, at the time of publishing, whether this fix or a similar fix is also possible on other operating systems such as Windows and MacOS due to neither appearing to have support for network namespaces.

#security #safety #privacy #surveillance #spying #vpn #vpns #virtual-private-network #virtual-private-networks #tunnelvision