140
submitted 1 year ago* (last edited 1 year ago) by Elephant0991@lemmy.bleh.au to c/technology@lemmy.world

What are TunnelCrack vulnerabilities?

  • Two widespread security vulnerabilities in VPNs can be abused by an adversary to leak traffic outside the VPN tunnel.
  • The two vulnerabilities are called the LocalNet and ServerIP attack.

Summary of what VPNs are vulnerable to TunnelCrack

  • VPNs for iPhones, iPads, MacBooks, and macOS are extremely likely to be vulnerable
  • A majority of VPNs on Windows and Linux are vulnerable
  • Android is the most secure with roughly one-quarter of VPN apps being vulnerable.
  • Users generally decide which VPN protocol to adopt while creating the VPN tunnel, with common options being OpenVPN, WireGuard, or IPsec. As a result, the precise configuration of the client, and whether it is vulnerable to (variants of) our attacks, may depend on the chosen VPN server and protocol.

TunnelCrack Prevention

To prevent the attack, VPN clients should be updated to send all traffic through the VPN tunnel, except traffic generated by the VPN app itself.

How do the LocalNet and ServerIP attacks work?

LocalNet attack:

  • The adversary acts as a malicious Wi-Fi or Ethernet network and tricks the victim into connecting to it.

  • Once connected, the adversary assigns a public IP address and subnet to the victim.

  • The adversary then tells the victim that the local network is using this subnet, which means that IP addresses in this range are directly reachable in the local network. When the victim now visits a website with an IP address in this range, the web request will be sent outside the protected VPN tunnel.

  • 66+ VPNs on five platforms were tested and found that all VPN apps on iOS are vulnerable. Additionally, all but one VPN client on macOS is vulnerable, on Windows a large majority of VPNs are vulnerable, and on Linux more than one-third are vulnerable. Interestingly, VPN apps on Android are typically the most secure, with one-quarter being vulnerable to the LocalNet attack.

ServerIP attack:

  • The adversary abuses the observation that many VPNs don't encrypt traffic towards the IP address of the VPN server. This is done to avoid re-encryption of packets.

  • The adversary first spoofs the DNS reply for the VPN server to return the IP address of a website that they control. The victim will then connect with the VPN server at this IP address.

  • To assure the victim still successfully creates a VPN connection, the adversary redirects this traffic to the real VPN server.

  • While establishing the VPN connection, the victim will add a routing rule so that all traffic to the VPN server, in this case the spoofed IP address, is sent outside the VPN tunnel. When the victim now visits a website with the IP address of the VPN server, the web request is sent outside the protected VPN tunnel.

  • Built-in VPN clients of Windows, macOS, and iOS are vulnerable. Android 12 and higher is not affected. A significant number of Linux VPNs are also vulnerable.

you are viewing a single comment's thread
view the rest of the comments
[-] jmp242@sopuli.xyz 11 points 1 year ago

The first one is just split tunneling which is a design feature for most organizations using VPN, so any company paying for this for their employees, and many using stuff like OpenVPN explicitly want that feature for good reasons.

The second requires both intercepting DNS (which I think is getting harder all the time with DNSSEC etc) and you not using a server certificate to authenticate the actual VPN server (unless I really misunderstand what's happening here). Most public VPN servers don't seem to be configured to work as you say (not send traffic for their server / site over the tunnel) - at least OpenVPN with common configurations will send traffic over the tunnel as far as I've been able to determine. Some details to reproduce this would be helpful. The paper isn't currently available, but I'm still wondering how they're adding a static route to the client unless they can in fact terminate the VPN connection and pass back config rules different from the client config file.

[-] somenonewho@feddit.de 1 points 1 year ago

Yeah I don't quite see how this is supposed to work either. They say they send the traffic to the intercepting server and then forward it to the "real" VPN server to actually establish the connection. But unless they can actually crack any of the encryption, all they have is the encrypted traffic to and from the sever if I'm not mistaken ... So what they do with that I'm unsure.

load more comments (3 replies)
this post was submitted on 08 Aug 2023
140 points (99.3% liked)

Technology

59436 readers
1252 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS