We present two widespread design flaws in VPN client. These can be abused to make a victim leak traffic in plaintext outside the protected VPN tunnel.

What are TunnelCrack vulnerabilities?

  • Two widespread security vulnerabilities in VPNs can be abused by an adversary to leak traffic outside the VPN tunnel.
  • The two vulnerabilities are called the LocalNet and ServerIP attack.

Summary of what VPNs are vulnerable to TunnelCrack

  • VPNs for iPhones, iPads, MacBooks, and macOS are extremely likely to be vulnerable
  • A majority of VPNs on Windows and Linux are vulnerable
  • Android is the most secure with roughly one-quarter of VPN apps being vulnerable.
  • Users generally decide which VPN protocol to adopt while creating the VPN tunnel, with common options being OpenVPN, WireGuard, or IPsec. As a result, the precise configuration of the client, and whether it is vulnerable to (variants of) our attacks, may depend on the chosen VPN server and protocol.

TunnelCrack Prevention

To prevent the attack, VPN clients should be updated to send all traffic through the VPN tunnel, except traffic generated by the VPN app itself.

How do the LocalNet and ServerIP attacks work?

LocalNet attack:

  • The adversary acts as a malicious Wi-Fi or Ethernet network and tricks the victim into connecting to it.

  • Once connected, the adversary assigns a public IP address and subnet to the victim.

  • The adversary then tells the victim that the local network is using this subnet, which means that IP addresses in this range are directly reachable in the local network. When the victim now visits a website with an IP address in this range, the web request will be sent outside the protected VPN tunnel.

  • 66+ VPNs on five platforms were tested and found that all VPN apps on iOS are vulnerable. Additionally, all but one VPN client on macOS is vulnerable, on Windows a large majority of VPNs are vulnerable, and on Linux more than one-third are vulnerable. Interestingly, VPN apps on Android are typically the most secure, with one-quarter being vulnerable to the LocalNet attack.

ServerIP attack:

  • The adversary abuses the observation that many VPNs don’t encrypt traffic towards the IP address of the VPN server. This is done to avoid re-encryption of packets.

  • The adversary first spoofs the DNS reply for the VPN server to return the IP address of a website that they control. The victim will then connect with the VPN server at this IP address.

  • To assure the victim still successfully creates a VPN connection, the adversary redirects this traffic to the real VPN server.

  • While establishing the VPN connection, the victim will add a routing rule so that all traffic to the VPN server, in this case the spoofed IP address, is sent outside the VPN tunnel. When the victim now visits a website with the IP address of the VPN server, the web request is sent outside the protected VPN tunnel.

  • Built-in VPN clients of Windows, macOS, and iOS are vulnerable. Android 12 and higher is not affected. A significant number of Linux VPNs are also vulnerable.

    • @assa123@infosec.pubEnglish
      511 months ago

      It narrows the chance of DNS interception but the second attack can be mitigated through certificate validation of the VPN server.

    • @jmp242English
      211 months ago

      I think both attacks are actually DNS vulnerabilities from my reading of the paper which is now available. It has nothing whatsoever to do with VPNs, except in so far as you can abuse DNS to redirect traffic to a hostname somewhere else. I suppose the first attack does suggest that commercial VPN companies should update their configuration to require the non-routed IPs to be the local network unless otherwise overridden by the customer. That should completely kill the first attack from what I can tell. Customers can also just look at their route tables after connecting to a random wifi and see if it looks weird (the local net not being 192.168.0.0/24, 172.16-20.0.0/16[IIRC, google the range],10.0.0.0/8)…

      The second attack still requires the attacker to control DNS, so again, is basically either the ISP or a rogue AP. I still think DNSSEC helps, DoH would help (but OSs don’t use this, and generally for good reason - we really really need PKI for DNS as the new standard IMHO, which I think DoH is trying to do), but also hardcoding the DNS server you use to a known good server (this might be hard, but like 1.1.1.1 is going to be harder to intercept) would stop it.

      This is also why people say VPN doesn’t provide full security on it’s own (Though I question the ability to pull these attacks off in most practical situations - quite a lot depends on your threat model) and redirecting HTTPS traffic for instance outside the VPN leaks that you connected to that site, but none of the contents of the traffic.

      • @iopq@lemmy.worldEnglish
        111 months ago

        I run a personal VPN on my DNS and I don’t know how to tell if I’m vulnerable.

        But when I’m in a country like China, using 1.1.1.1 directly is sometimes an issue, China poisons the unencrypted DNS traffic and blocks encrypted traffic on known DNS servers

        Given the threat model of a malicious state actor, what can I do?

        • @jmp242English
          111 months ago

          Honestly - nothing . You need to not use the Internet for anything sensitive if a nation state is after your traffic, even moreso if you’re inside their network, even more so if it’s controlled as tightly as China does.

          In the US you might hide among the other traffic if you really know what you’re doing and very careful. Especially if they’re not suspecting you and so aren’t directly targeting you. And that’s a big if. China blocks traffic so you just end up. Screwed.

          • @iopq@lemmy.worldEnglish
            111 months ago

            That’s absolutely wrong, even China can’t get to my encrypted traffic, since I’m hiding it among the other encrypted traffic on port 443

            Also, I’m not using encrypted client hello (banned in China), but it’s spoofed to a real domain of a real company so the GFW thinks I just really love that website

            • @jmp242English
              111 months ago

              Ok, but now you’re masquerading as HTTPS. I was talking about most VPNs use known ports (openvpn port for instance). I also have heard a lot of external sites are blocked in China, so I was referencing that I would guess most commercial VPN servers get blocked also. If you’re running your own endpoint (not paying for a commercial service) and making it look like SSL, and China isn’t blocking that IP address outside the country at this time, then it should work, though I’d still worry about timing and network correlation attacks - if a nation state wanted to. There’s a lot of wiggle room in that if, and I wouldn’t put it past them to just backdoor your hardware on entry (or the US customs inspection either FWIW).

              • @iopq@lemmy.worldEnglish
                111 months ago

                It’s just some AWS IP, these servers don’t have their own provider. So some commerical ones still work. But self-hosting is more predictable

                The VPN also does padding to hide small packets like SYN/ACK. The access patterns are an issue, but they kind of just throttle you since that’s not a 100% tell.

                My hardware is my phone and I keep it on my person, they haven’t touched that, thankfully