Unencrypting VPN traffic through a new TunnelVision attack


De-anonymizing users has been a hacker's favorite pastime for as long as I can remember. But that’s the least of anyone’s concerns when you factor in the scope of warrantless spying, the monetization of user data being vacuumed by big tech and sold by data brokers.

On May 6th, a researcher at Leviathan Security uncovered a critical Virtual Private Network (VPN) described as a “decloaking method” called TunnelVision (CVE-2024-3661) that can redirect routing-based Virtual Private VPNs by sending data outside of the tunnel. This new attack vector has swept headlines around the world.

In a nutshell, it allows attackers to circumvent VPN encapsulation and reroute traffic outside a VPN tunnel by utilizing Dynamic Host Configuration Protocol (DHCP). This way, the network traffic can’t be encrypted since it isn’t being sent into the VPN tunnel. The Dynamic Host Configuration Protocol (DHCP) server then redirects the unencrypted network traffic to the web using a side channel created by the attacker.

This works because the VPN doesn’t encrypt the data packets on the side channel, thus demasking the traffic. The VPN tunnel remains unchanged and intact, tricking the VPN client into thinking that it’s still channeling data through to the VPN server. In fact, the unencrypted data is rerouted to the attacker’s servers.

However, security experts hold an opposing view. Nevertheless, if this attack were to evolve, it could raise the overall threat level and broaden its executability in the wild as the potential for abuse increases.

Ultimately, the way this attack is being framed might cause VPN subscribers to feel that nothing is safe anymore because of the media hype. I say this because of the hype it generates while having been merely discovered in a controlled environment and not found executed in the wild by malicious actors.

The vulnerability was reported to the Cybersecurity and Infrastructure Security Agency (CISA). But in light of the innumerable revelations of government surveillance over the past decade alone, is this the end we will hear about attacks like TunnelVision?

Criticism by experts

Criticism from cybersecurity experts can offer invaluable insights into groundbreaking security incidents. In this case, experts unanimously criticized the hype, stating that the Leviathan Security Group is exaggerating the scope of the attack vector.

Dr. Peter Membrey, Chief Engineering Officer at ExpressVPN, had this to say about TunnelVision:

"Pulling off the attack is not as trivial as has been described, and while it isn’t as difficult as making a cloaking device, it isn’t as simple as pushing a button either. There are a number of things that must align for an attack to be effective. For example, this attack can only really be carried out on public, open WiFi networks. If you’re on a trusted home or office network, you’re not going to be vulnerable. There are also protections that a public Wi-Fi provider can put in place to prevent these attacks being effective as well."

Others within the industry had similar to say, with each explaining that the attack vector only applies on the condition that a user’s wireless router has been hacked. Therefore, your VPN client cannot be affected unless your wireless network has been attacked at the local level or you are using public WiFI. This also applies to mobile devices connected by a cellular network not a wireless network.

Furthermore, if you use a VPN killswitch, you’re also safe. Most VPN providers also employ a firewall to ensure data traffic doesn’t leak from the VPN route, where introducing a new route would disrupt service and prevent you from going online.

Network attacks evolved

I am an avid wireless network hacker. I have enough wireless hacking equipment to commit the next crime of the century. Furthermore, I know plenty of hackers who are fairly lazy about remembering to use a VPN. Virtually no one else in my family even knows what a VPN is. Regardless, the important takeaway from this discovery is that TunnelVision provides a new opportunity for attackers on a local network to de-anonymize VPN traffic.

Ever since 2016, when Hypertext Transfer Protocol Secure (HTTPS) became prevalent as the new standard protocol, encrypting browser traffic while flagging domains without HTTPS as potentially malicious changed the way hackers can intercept network traffic.

Therefore, if an attacker were to gain access to your network, either by attacking the local wireless network, physical access, or illicit remote access, these would provide optimal conditions for an attacker to execute the TunnelVision vulnerability.

Is the scope of the Leviathan Security Group’s finding of TunnelVision over-inflated? Yes, for now, simply because the conditions are difficult but not impossible. However, if I were a data-consuming government surveillance machine, a vulnerability like TunnelVision would present new ideas in the race to de-anonymize user data.

With that being said, does TunnelVision exist in its final form?

Absolutely not.

Privacy plagued by illegal surveillance

My greatest worry is that there is no reasonable guarantee that the CISA didn’t hand over knowledge of the TunnelVision CVE to US intelligence agencies, which would then continue the pattern of flagrant, warrantless spying on internet users. As a privacy advocate, these thoughts run through my mind.

It was only last December that we, in a letter sent to the Department of Justice (DOJ) from US Senator Ron Wyden, an Oregon how US law enforcement agencies and other governments are conducting warrantless surveillance on Apple and Android users through a loophole in push notifications.

Let’s not forget the EternalBlue Remote Desktop Protocol (RDP) vulnerability discovered by the National Security Agency (NSA), which the intelligence agency used in the wild without Congressional approval. This allowed them the ability to compromise Windows computer systems without obtaining a warrant.

The NSA did not report the vulnerability to Microsoft. However, the ploy was discovered and subsequently exposed by the hacking group known as the Shadow Brokers as it became public, on April 14th, 2017.

Let’s not forget everything we learned about the scope of the NSA’s illegal surveillance programs from Edward Snowden, the former US computer contractor and whistleblower.

So, I say again, is TunnelVision in its final form?

No way.

Congratulatory pat on the back.

Online privacy is at war, and everybody is involved.