Cybersecurity researchers have uncovered two security vulnerabilities affecting all virtual private networks (VPNs) that allow unauthorized parties to read the encrypted content of users’ traffic and compromise users’ devices.
While these vulnerabilities affect all devices, Apple devices are more susceptible. In a paper published on August 8, the researchers said these vulnerabilities — termed “TunnelCrack” — have been present in all VPNs since the technology was created nearly three decades ago.
“We tested more than 66 VPN apps on five platforms and found that all VPN apps on iOS are vulnerable,” the researchers said, adding that nearly all VPN clients running on macOS are vulnerable, and a vast majority on Windows are also at risk. Over a third of VPNs on Linux are susceptible.
In contrast, only about a quarter of Android VPN apps fell prey to the LocalNet attack, perhaps due to its robust API design for VPN apps, the researchers added.
Particularly concerning is the acknowledgment from the research team that “every VPN product is vulnerable on at least one device.” The researchers have since released scripts on their GitHub page that can scan for the vulnerability.
Prior to releasing the study, the researchers coordinated with different VPN vendors to prepare security patches. In a statement to VPNOverview on Monday, NordVPN confirmed that steps have been taken to protect its users.
“To mitigate the issue, we’ve dropped IKEv2/IPSec protocol support on our apps, discontinued support for iOS versions older than 14.2, and implemented the ‘Invisibility on LAN’ feature for macOS users, successfully securing their VPN connections. In addition, warnings will be prompted for all users connected to unsafe networks, advising immediate disconnection and providing additional steps on how to secure themselves,” Laura Tyrylyte – Tyrell, head of global PR at Nord Security, said.
“We also hope Apple will prioritize the swift resolution of bugs, which now prevent iOS VPN clients from the robust implementation of features that would help users mitigate these security risks,” Tyrell added.
TunnelCrack Exposes Contents of VPN Traffic
The researchers from New York University, NYU Abu Dhabi, and KU Leuven explained that the flaw essentially enables attackers to redirect a user’s network traffic outside of the secure VPN tunnel. By doing so, they can get a peek into the contents of VPN traffic on local networks — at least to some extent. The risk is particularly acute when data isn’t encrypted before it’s routed through a VPN.
However, securely encrypted connections, like HTTPS or SSH, should remain protected, even if they are redirected, the researchers added.
The two vulnerabilities have been named LocalNet and ServerIP. LocalNet involves an attacker creating a malicious Wi-Fi network to trick victims into joining. Once connected, their network traffic can be easily monitored.
With ServerIP, attackers also masquerade as a Wi-Fi network or Ethernet network, but it is slightly more complicated. It involves spoofing the IP address of a VPN server to access the content of users’ traffic.
“The security vulnerability identified by the researcher pertains to VPN traffic leaks when routers use non-RFC1918 IP addresses, which while rare, is an industry-wide issue. In our case, only macOS and iOS VPN clients were affected,” Tyrell noted.
VPN Industry Reactions
Besides NordVPN, other VPN vendors have acknowledged the findings, with responses varying. While some claim their systems remain largely unaffected, others, like ExpressVPN and Cisco, have been swift in either releasing fixes or advising users on safety measures.
To ensure VPNs can continue to enhance your privacy and security online, it’s important to keep your VPN client updated with the latest patches and security configurations.
This is also a good time to assess the overall security posture of the devices and networks you frequently use. We recommend using long (18-character), randomized passwords and encrypting your file systems (for example, by enabling macOS FileVault and iOS Data Protection, which is active if you set a passcode on your iPhone). Also, stick to premium, trusted VPN providers who are quick to fix security issues.
Watch the researchers explain how TunnelCrack breaks most VPNs in the video below. The full research white paper can be found here.
Follow us on Twitter, Threads, and Mastodon for more VPN-related news!
