Massive security hole in VPNs shows their shortcomings as a defensive measure
“Among other things, traffic should be appropriately encrypted prior to even entering a VPN. All technology has vulnerabilities. The mere fact that a tool has a particular vulnerability doesn’t mean it can’t be helpful in a robust defense in depth strategy,” he said.
Noah Beddome, Leviathan’s CISO in residence, said that CISOs need to remember the origin of VPNs. “VPN was never supposed to be a security solution — VPNs were never designed for that,” he said.
“They were a stopgap use at the time [they were created]. Still, almost all enterprises have so many VPNs in use that there is no easy replacement,” Beddome said, adding that it’s likely that underfunded and understaffed security operations may have made it more difficult to replace VPNs quickly.
How TunnelVision intercepts VPN traffic
According to the researchers, TunnelVision is a secondary attack, meaning that it only works if the attacker has already gained significant access to the network. The danger is that some IT and security staffers might think that the VPN would still protect its data even if the environment is compromised. According to testing performed by Leviathan, no such protection would exist in a standard VPN.
The attack “bypasses VPN encapsulation. An attacker can use this technique to force a target user’s traffic off their VPN tunnel using built-in features of DHCP (Dynamic Host Configuration Protocol),” Leviathan researchers wrote. “The result of this is the user transmits packets that are never encrypted by a VPN, and an attacker can snoop their traffic. We are using the term ‘decloaking’ to refer to this effect. Importantly, the VPN control channel is maintained so features such as kill switches are never tripped, and users continue to show as connected to a VPN in all the cases we’ve observed.”
The key to the attack lies in the manipulation of DHCP option 121, according to Leviathan’s research.