Your VPN Might Be On TunnelCrack

Call It A Day And Hope It’s Fixed By Monday?

We trust our VPNs to keep our data safe, at least from everyone but the provider of the VPN anyways.  A diverse team of researchers tested more than 60 VPNs for iOS, Android, Mac and Windows and found that many of them are vulnerable to LocalNet and ServerIP attacks.  LocalNet takes advantage of the fact that many VPNs are configured to allow the client to route local network connections.  This means you could create a WiFi network, or abuse an unsecured one to assign a public IP and subnet address to a computer which you know.  Since there is now a local network connection to route through the attacker can intercept the traffic as it routes through that local network and ignores the VPN tunnel you assumed was keeping you safe.  

The second ServerIP vulnerability takes advantage of the fact that VPNs prefer not to double encrypt packets, which means traffic from your machine to the VPN is not necessarily encrypted.  This makes it possible to spoof the DNS of a known VPN address and add a routing rule to send all traffic to both the VPN and to the spoofed IP address.  The victim still goes through the VPN and there is no indication that their traffic is also going to a second location.

Of all the VPNs tested, Android fared the best and Apple the worst. For instance Cisco Secure Client AnyConnect VPN on iOS is vulnerable but the Android version is not.  The two vulnerabilities can be easily overcome however, by simply ensuring the sites you visit are using HTTPS or you use a secure shell to connect to remote machines over a VPN.  In either case the traffic to the VPN is already encrypted and you’ll be off the TunnelCrack.

The Register offers a deeper look into TunnelCrack and it’s related CVEs right here, if you need more nightmare fuel for your weekend.