Almost all VPN applications are at risk of leaking their traffic. This is a highly targeted attack technique that has probably been possible for years.
The technique, called TunnelVision (CVE-2024-3661), was discovered by the Leviathan Security Group. The essence is that a user on a network that the attacker controls runs the risk of having a connection via a VPN eavesdropped, while it appears to the user as if they are connected securely.
An attack requires the perpetrator to manipulate the network’s DHCP server. This manages the IP addresses that connect to the network. A specific setting on your device, ‘option 121’, allows the DHCP server to change the default routing rule. This allows you to route traffic from a VPN via a specific local IP address.
Due to a specific configuration using that server as a gateway, the traffic will flow through the DHCP server while the content can be viewed.
The ‘option 121’ in question allows attackers to set up one or more routes for internet traffic. But those routes are not encrypted by the VPN and are forwarded by the network interface that talks to the DHCP server. The attacker can choose which IP addresses go through the VPN tunnel and which go through the network interface that talks to the DHCP server.
Admin rights useful, but not necessary
The discoverers explain that the attack works best if the perpetrator has administrator rights on the network because the option in question can then be enabled. But it is also possible that someone on the network sets up their own DHCP server and does something similar.
Since 2002
Note: the hack does not work on Android, because option 121 does not exist there. For other systems there is no escape at this point. On Linux it is possible to limit the impact via the settings, but not completely exclude it.
What makes matters even more disturbing is that option 121 has been around since 2002. The researchers also suspect that the technique has already been used in the past. They deliberately do not talk about vulnerability, because that is open to discussion. It is a function that was deliberately built in, but it makes VPN services useless because their purpose is to shield your traffic.
Surfing via 5G
There are solutions pending technical adjustments, say the discoverers of Leviathan. Not enabling option 121 (it seems that is the default) is one of them. Although it may be that it is impossible or more difficult for you to get onto a network.
The danger mainly lies with WiFi networks, so another option is to use the mobile network (4G or 5G), for example by turning your mobile phone into a mobile hotspot. Working from a virtual machine can also avoid the problem, as long as the virtual machine’s network adapter is not in bridged mode.
Tags: VPNs susceptible eavesdropping years
