Novel attack against virtually all VPN apps neuters their entire purpose

"There are no ways to prevent such attacks except when the user's VPN runs on Linux or Android."

So there are ways.

So for this attack to work, the attacker needs to be able to run a malicious DHCP server on the target machine’s network.

Meaning they need to have already compromised your local network either physically in person or by compromising a device on that network. If you’ve gotten that far you can already do a lot of damage without this attack.

For the average person this is yet another non-issue. But if you regularly use a VPN over untrusted networks like a hotel or coffee shop wifi then, in theory, an attacker could get your traffic to route outside the VPN tunnel.

there are no ways to prevent such attacks except when the user's VPN runs on Linux or Android.

So . . . unix? Everything-but-Windows?

If your LAN is already compromised with a rogue DHCP server, you've got bigger problems than them intercepting just VPN traffic. They can man in the middle all of your non-encrypted traffic. While this is bad, it's not a scenario most people will run into.

To be fair, any proper VPN setup that only relies on the routing table like this is flawed to begin with.
If the VPN program dies or the network interface disappears, the routes are removed aswell, allowing traffic to leave the machine without the VPN.
So it is already a good practice to block traffic where it shouldnt go (or even better, only allowing it where it should).

Many VPN-Programs by Providers already have settings to enable this to prevent "leaking".

So I gave the article a glance and it's a bit beyond me can someone give me an eli5?

I think this is a good enough reason to actually put in some effort to phase out ipv4 and dhcp. There shouldn't be a way for some random node on the network to tell my node what device to route traffic over. Stateless ipv6 for the win.

(…) the entire purpose and selling point of VPNs, which is to encapsulate incoming and outgoing Internet traffic in an encrypted tunnel and to cloak the user’s IP address.

No. That is not the entire point of a VPN. That’s just what a few shady companies are claiming to scam uninformed users into paying for a useless service. The entire point of a VPN is to join a private network (i.e. a network that is not part of the Internet) over the public internet, such as connecting to your company network from home. Hence the name ‘virtual private network’.

There are very little, if any, benefits to using a VPN service to browse the public internet.

Step one, be in full control of DNS on the network. Not difficult, but not simple.

So if they are changing routes by using DHCP options, perhaps this could be exploited by telecom insiders when you are using mobile data, because your mobile data IP could be assigned by a DHCP server on the telecom network. If you're at home on wifi, then you can control your own DHCP server to prevent that.

To execute this you need a DHCP server on the network.... But any admin worth his salt has a config on the switch to limit DHCP traffic to a designated server.

Seems extremely difficult to pull off in any corporate environment

That's why half decent VPN apps also add firewall rules to prevent leakage. Although nothing can beat Linux and shoving the real interface in a namespace so it's plainly not available to anything except the VPN process.

If i get this right, that attack only works before the tunnel is initiated (i.e. traffic encrypted), if the hosts is compromised, right? No danger from untrusted points inbetween, right?

I use option 121 as part of my work, though I am not an expert on DHCP. This attack does make sense to me and it would be hard to work around given the legitimate uses for that option.

But why was this attacking novels? Are comic books safe?

Pushing a route also means that the network traffic will be sent over the same interface as the DHCP server instead of the virtual network interface. This is intended functionality that isn’t clearly stated in the RFC. Therefore, for the routes we push, it is never encrypted by the VPN’s virtual interface but instead transmitted by the network interface that is talking to the DHCP server. As an attacker, we can select which IP addresses go over the tunnel and which addresses go over the network interface talking to our DHCP server.

Ok, so double encrypted and authenticated traffic (TLS inside the VPN) would still be safe, and some stuff requiring an internal network origin via the VPN is safe (because the attacker can't break into the VPN connection and your client won't get the right response), but a ton of other traffic is exposed (especially unencrypted internal traffic on corporate networks, especially if it's also reachable without a VPN or if anything sends credentials in plaintext)

So..

reject 121;

In your dhclient?

This is the best summary I could come up with:

Researchers have devised an attack against nearly all virtual private network applications that forces them to send and receive some or all traffic outside of the encrypted tunnel designed to protect it from snooping or tampering.

TunnelVision, as the researchers have named their attack, largely negates the entire purpose and selling point of VPNs, which is to encapsulate incoming and outgoing Internet traffic in an encrypted tunnel and to cloak the user’s IP address.

The attack works by manipulating the DHCP server that allocates IP addresses to devices trying to connect to the local network.

A setting known as option 121 allows the DHCP server to override default routing rules that send VPN traffic through a local IP address that initiates the encrypted tunnel.

When apps run on Linux there’s a setting that minimizes the effects, but even then TunnelVision can be used to exploit a side channel that can be used to de-anonymize destination traffic and perform targeted denial-of-service attacks.

This remedy is problematic for two reasons: (1) a VPN user connecting to an untrusted network has no ability to control the firewall and (2) it opens the same side channel present with the Linux mitigation.

The original article contains 903 words, the summary contains 196 words. Saved 78%. I'm a bot and I'm open source!

Does this mean I still can't watch porn in Texas?

If someone uses vpns for anything other than region locked content then that’s not very smart.

It’s one big security risk and no attacks are necessary for some vpn company tech to sell your data. Hell I’d do it myself to a highest bidder, sorry.

It’s like walking naked around some stranger’s house and trusting them to close their eyes.