Security researchers say this scary exploit could render all VPNs useless
Security researchers have revealed a method for rendering any virtual private network (VPN) useless. And they suspect that their exploit may have been in the wild for years -- and malicious actors may already know about it.
Researchers at the Leviathan Security Group have uncovered a method for exposing a user's traffic when they use a VPN, effectively allowing the attacker to snoop on their unencrypted traffic and gain valuable data from the transfer. The researchers are calling their exploit TunnelVision and say that they've yet to come across a VPN that doesn't fall for the trick.
Also: The best VPN services of 2024
VPNs play a critical role in secure traffic and data safety. When someone uses a VPN, their internet traffic is encrypted, allowing it to avoid the prying eyes of hackers. But TunnelVision changes that. The researchers said that if they've been able to attack a network, they can run a DHCP server that assigns IP addresses for devices on the same network and force traffic to be routed through it. In doing so, they're able to avoid VPN encryption and view completely unencrypted traffic packets. What's worse, at no point do users believe their traffic is being sent over an unencrypted connection and the VPNs themselves never alert them to the change.
To be sure, there are some hoops hackers would need to jump through to take advantage of the exploit, with having actual access to a network being chief among them. But hackers can often sit on hacked networks without alerting anyone, waiting for opportunities to steal data. And TunnelVision is just one of those opportunities.
But it gets worse. The security researchers said that they believe malicious actors may have had the ability to take advantage of the weakness in VPN functionality since 2002, suggesting hackers may have known about the exploit for more than two decades. And while they stopped short of confirming hackers have used the exploit, they have notified VPN makers about their discovery.
That said, it's not clear how to fix the problem. While removing DHCP support in VPNs would fix the issue immediately, it would also cause a rash of internet connectivity problems outside the VPN's use. And although the researchers were able to find one way to fix the problem on Linux-based operating systems only, the fix would create a "side channel" that would still allow for de-anonymized traffic.
Also: What are passkeys? Experience the life-changing magic of going passwordless
"In some places in the world, the side-channel alone could lead to imprisonment or death for those who rely on VPNs for safety such as journalists or whistleblowers who are common targets of surveillance or spyware," the researchers said.
The only real fix, then, is to not have a VPN running on a network that has been compromised -- a tall order, considering how difficult it is to know if hackers are lurking. For now, then, be careful on VPNs and remember it's possible that your private traffic isn't as private as you think.