Almost all VPNs have been vulnerable to eavesdropping for years

Almost all VPN apps run the risk of leaking their traffic. This is a highly targeted attack technique that has probably been possible for years.

Technology, that’s the name TunnelVision (CVE-2024-3661) was discovered by Leviathan Security Group. The crux of the matter is that a user on an attacker-controlled network runs the risk of eavesdropping on a VPN connection, while it appears to the user as if they are securely connected.

The attack requires the perpetrator to manipulate the network’s DHCP server. This manages the IP addresses that connect to the network. The setting selected on your device, Option 121, allows the DHCP server to change the default routing rule. This allows you to route traffic from the VPN through a specific local IP address.

Due to the specific configuration that uses this server as a gateway, traffic will flow through the DHCP server while content can be viewed.

The “Option 121” in question allows attackers to set up one or more paths for Internet traffic. But these routes are not encrypted by the VPN and are forwarded by the network interface that talks to the DHCP server. An attacker can choose which IP addresses go through the VPN tunnel and which ones go through the network interface talking to the DHCP server.

Administrator rights are useful, but not necessary

The discoverers explain that the attack works best if the perpetrator of the attack has administrator rights on the network because the option in question can then be enabled. But it’s also possible that someone on the network has set up their own DHCP server and is doing something similar.

Since 2002

Note: The hack does not work on Android, because the 121 option does not exist there. For other systems there is no escape at this point. On Linux, it is possible to limit the effect via settings, but it cannot be completely ruled out.

What makes matters even more worrying is that Option 121 has been around since 2002. Researchers also suspect that this technology has already been used in the past. They deliberately do not talk about weakness, because that is open to debate. It’s a purposely created function, but it renders VPN services useless because their purpose is to protect your traffic.

Browsing via 5G

Solutions await technical modifications, Leviathan discoverers say. Not enabling option 121 (it seems to be the default) is one of them. Although it may be impossible or difficult for you to access the network.

The danger lies mainly in WiFi networks, so another option is to use the mobile network (4G or 5G), for example by turning your mobile phone into a mobile hotspot. Working from a virtual machine can also avoid the issue, as long as the virtual machine’s network adapter is not in plugged-in mode.