I’ve been seeing a lot of confusion around the TunnelVision vulnerability. While I’m no expert, I’ve done a fair share of research and I’ll edit this post with corrections if needed. The goal of this post is to answer the question: does this affect me?
Two sentence summary of the vulnerability
When you use a commercial VPN like Mullvad or NordVPN, the VPN client tells your system to redirect all traffic through the VPN. This recent vulnerability shows that a malicious device on the network can trick your system into redirecting traffic to their device instead.
Claim: just don’t connect to hostile networks!
This is hard in practice. For most people, the only “trusted” networks are your home network and your workplace. So you still have to worry about coffee shops, airports, hotels, restaurants, etc. And if you are using cellular data, the cellular tower can perform this attack to snoop on your traffic.
Claim: but I trust the hotel owner, restaurant owner, etc
This attack allows any device on the network to impersonate a DHCP server and attack your system, not just the router. And while there are router settings that can prevent devices on the network from talking to each other, afaik they are rarely used. So even if you trust the owner of the cafe, you have to also trust everybody else in the cafe.
Claim: if you use HTTPS you are safe!
If the attacker redirects traffic to their machine, then even if you use HTTPS, the attacker can still see what websites you connect to, they just can’t see what you are sending or receiving. So basically they can steal your browsing history, which defeats the purpose of a commercial VPN for many users.
Claim: Linux users are safe!
Not quite. The report says that Linux has a feature that is able to fully defend against this vulnerability, called network namespaces. So if your VPN uses that, congratulations. Afaik most VPNs do not use this, and instead use a kill-switch or a firewall. In which case Linux, Mac, and Windows users are all affected the same way, and I go into it more in the next claim.
Claim: if you use a kill-switch you are safe!
The term “kill switch” gets thrown around a lot but there’s actually two major ways that a kill-switch can be implemented. The first way is a more literal “kill switch” - when the VPN connection drops, the kill switch is triggered and blocks leaks. The other way is a persistent firewall, which blocks leaks all the time.
If your VPN client uses the first kind, then bad news, it won’t protect you against this attack. This is because the VPN connection is never dropped, so the kill switch is never triggered. NordVPN was caught using this poor practice, to nobody’s surprise (more info here).
If your VPN uses the second kind, then you should be safe. For example, Mullvad published a statement about how they are not vulnerable here. I would hope that any competent VPN would also use a persistent firewall, but if your VPN provider hasn’t published a statement yet, unfortunately your only other option is to inspect the VPN client yourself.
That being said, even if your VPN uses a persistent firewall, you may have read in the report that there’s a “side-channel” attack still possible…
Claim: even if you use a firewall, there’s a side-channel attack
This is true, but from what I read the side-channel is actually very hard to pull off and gain any useful information from. You can read some discussion about it here. My takeaway is that if you’re a regular user, you don’t have to worry about it. But we should still push VPN providers and network engineers to use network namespaces in their applications, since they are more resistant to these kinds of attacks.
Claim: you shouldn’t trust commercial VPN providers anyways
This is not really about the vulnerability but I’ve seen it a lot in the discussions. I think it’s a mischaracterization of why people use VPNs. If you are using the internet, somebody has to send that traffic to your destination. The three major options are your ISP, a VPN provider, or Tor. Depending on your location and your circumstances, you will trust these three differently. In the EU, ISPs are not allowed to sell data. In the US, ISPs are allowed to, and have been caught doing so. VPNs can sell data too but they risk losing their entire business. Tor is much harder to judge, but the bigger issue with Tor is that many websites block it.
Further reading:
- Official Report
- Official TLDR and FAQ
- Arstechnica article
- Hacker News discussion
- one of the original researchers is active in this discussion, see comments by @morattisec
Claim: if you use HTTPS you are safe!
Overall a solid writeup, but this part could use some clarification. Assuming the VPN client doesn’t leak DNS this is only a concern after exploitation by DHCP option.
Another thing that might be noted, since this is a DHCP based issue the window for compromise is largely going to be at the time of connection unless the server has a particularly short lease time. If there are multiple DHCP servers on the same network answering requests it’s bound to raise some alarms if someone is watching the network so it makes 3rd person exploitation a very noisy method since you would have a race for who offered the lease first.
Edit: Really this attack isn’t just a problem for VPNs but could apply to any network connectivity. A rouge DHCP sever can cause all sorts of havoc. There used to be an single button APK called ‘firesheep’ that would do similar to this by presenting itself as the gateway, although that wouldn’t have allowed for the specific split routing config option push.
I added clarification that the HTTPS part is assuming that the attacker has already performed the DHCP attack. Thanks for the note!
The DHCP race is one part I didn’t go into detail about since I’m not very familiar with the details, but what you wrote makes sense. One potential danger is a hacker at a coffee shop, where the shop owner is unlikely to be monitoring the network, and there are going to be many new connections coming in all the time. It’s still an unlikely scenario, but it also isn’t a particularly difficult attack.
Discover/offer/request/acknowledge since it didn’t make a pretty picture for me.
Basically it’s just a case of who answers first. A DHCP discover is a broadcast message since the client doesn’t know where or even if there is a server on the net. Whoever gets back to the client first with an offer though will end up with the request/ack following up and get to provide whatever options they push along with the offer.