Novel attack against virtually all VPN apps neuters their entire purpose

TunnelVision, as the researchers have named their attack, largely negates the entire purpose and selling point of VPNs, which is to encapsulate incoming and outgoing Internet traffic in an encrypted tunnel and to cloak the user’s IP address. The researchers believe it affects all VPN applications when they’re connected to a hostile network and that there are no ways to prevent such attacks except when the user's VPN runs on Linux or Android. They also said their attack technique may have been possible since 2002 and may already have been discovered and used in the wild since then.

Your VPN may not actually be functioning

#VPNs #ArsTechnica #Computers #Linux #TunnelVisionVulnerability #Android

TunnelVision: Decloaking Routing-Based VPNs

CVE-2024-3661

If you want to be safe, don't get DHCP service from anything but your own router. Don't connect to public WiFi anywhere. If you need to use a local network you don't control, connect your router to it and connect your device to your router so you get DHCP service from your router, not someone else's. It's also important that only your devices be allowed to connect to your router.

https://github.com/leviathansecurity/TunnelVision

TunnelVision is a local network VPN leaking technique that allows an attacker to read, drop, and sometimes modify VPN traffic from a targets (sic) on the local network. This technique does not activate kill-switches and does not have a full fix for every major operating system. We are using the built-in and widely supported feature DHCP option 121 to do this.\
\
Option 121 supports installing multiple routes with CIDR ranges. By installing multiple /1 routes an attacker can leak all traffic of a targeted user, or an attacker might choose to leak only certain IP addresses for stealth reasons. We're calling this effect decloaking.\
\
TunnelVision has been theoretically exploitable since 2002, but has gone publicly unnoticed as far as we can tell. For this reason, we are publishing broadly to make the privacy and security industry aware of this capability. In addition, the mitigation we've observed from VPN providers renders a VPN pointless in public settings and challenges VPN providers' assurances that a VPN is able to secure a user's traffic on untrusted networks.\
\
A fix is available on Linux when configuring the VPN users host to utilize network namespaces. However, we did not encounter its use outside of our own research. The best documentation we've found about that fix is available from WireGuard's team. It remains unclear, at the time of publishing, whether this fix or a similar fix is also possible on other operating systems such as Windows and MacOS due to neither appearing to have support for network namespaces.

#security #safety #privacy #surveillance #spying #vpn #vpns #virtual-private-network #virtual-private-networks #tunnelvision

https://tusk.sfunk1x.com/@sfunk1x/108303198366194014

---

Tags: #dandelíon #encryption #hipaa #tls #https #vpns

via dandelion* client (Source)

Good Attempt to Investigate VPNs

Updated May 18, 2021

tl;dr -- Mullvad or IVPN

https://www.nytimes.com/wirecutter/reviews/best-vpn-service/

How we picked\
\
To narrow down the list of VPN providers, we looked at VPNs listed in reviews from sources such as CNET, PCMag, and The Verge, as well as recommendations from the nonprofit Freedom of the Press Foundation and the security firm Bishop Fox. We also looked at VPNs that had answered questions on the Center for Democracy & Technology’s Signals of Trustworthy VPNs survey. We combined these results with research and recommendations from noncommercial sources such as That One Privacy Site, customer experiences and tips on the r/VPN subreddit, and reviews in the App Store and Google Play store. We piled this research on top of our work from previous years, which looked at sites such as vpnMentor and TorrentFreak and technology-focused websites like Lifehacker and Ars Technica, as well as those services that were simply on our staff’s personal radars.\
\
In 2019, we settled on 52 VPNs that were repeatedly recommended or at least so highly visible that you’re likely to encounter them when shopping for a VPN provider. In 2020, we added four more. From there, we dug into the details on how each one handled issues from technology to subscriptions, as well as the steps they’ve taken to improve their transparency and security posture.

#vpn #vpns #mullvad #ivpn #security #privacy #surveillance