VPNs may not be able to protect users on public Wi-Fi networks as well as advertised, according to research by Leviathan Security. By abusing a DHCP server, it is possible for hackers and malicious parties to bypass VPN connections. This way, they still have access to all the VPN user’s data, without the latter being made aware of it.
Server Abuse Creates Unsafe VPN Connection
Researchers Lizzie Moratti and Dani Cronce from Leviathan discovered the vulnerability on public Wi-Fi networks when they set up a fake Dynamic Host Configuration Protocol (DHCP) server within a local network.
A DHCP server forwards devices’ requests to connect to a network. By creating an additional, fake DHCP server, malicious actors could lead traffic beyond the VPN connection without it being noticed. That way, the VPN is activated, but the encrypted tunnel isn’t being used, meaning abusers can easily get access to the device’s traffic. This technique resembles man-in-the-middle attacks in some ways.
Various tests have proven that this method works for both new VPN connections and connections that had already been established. The VPN does not detect this attack: even the enabled kill switch did not activate during the investigation. In other words, this suggests that VPN users can be eavesdropped on by others, completely unnoticed.
Hack Possible Since 2002
The DHCP standard that makes this method possible has been in use since 2002. In theory, that means the vulnerability has been exploitable for 22 years. It is unclear whether this method has actually been used during that time. However, Bill Woodcock, executive director of the nonprofit Packet Clearing House, told KrebsOnSecurity that the weakness is very problematic for VPN users on public Wi-Fi networks.
John Kristoff, founder of dataplane.org, responded to Leviathan’s research by noting that “practically all user-edge network gear, including Wi-Fi deployments, support some form of rogue DHCP server detection and mitigation”. The question is whether these protections are actively used in practice. Kristoff emphasizes that insecure networks are always a risk, and that the DHCP spoofing method is a relatively simple but sneaky way to abuse a local network.
Consequences for VPN Users
This particular vulnerability only applies to VPN users who use unsecured public networks. Those who combine a VPN connection with their private network or their 4G do not have to worry.
Woodcock does warn that this method is especially attractive to hackers and malicious parties involved in spear phishing. Spear phishing is a form of online fraud that uses your personal information to convince you with fake messages. This poses a particular risk to journalists, public figures, and IT professionals.
VPNOverview asked popular VPN providers NordVPN and Surfshark for comment. Surfshark responded the following:
After a thorough evaluation, we can affirm that if there were an attempt to exploit the TunnelVision vulnerability, our apps would not leak data when the ‘Invisible on LAN’ and ‘Kill Switch’ features are activated in the app settings menu.
With the ‘Kill Switch’ and ‘Invisible on LAN’ features enabled, any traffic that is not protected by a VPN encrypted tunnel would be blocked, which may lead to internet connection disruption for the user. This blockage would result in a blank webpage or an error message but not the data leak.
Therefore, we advise keeping the ‘Kill Switch’ and ‘Invisible on LAN’ features turned on for optimal security. Currently, these features are sufficient to block such attacks. Moreover, our engineering teams are constantly looking into more advanced solutions against them.
Surfshark
Protect Yourself and Your VPN Connection
The average VPN user is unlikely to become a target of the described attack. Only those who run a bigger risk of becoming a victim of spear phishing, such as whistleblowers and influencers, will need to be wary.
If you want to protect yourself against this DHCP spoofing attack on VPN connections, you can take several actions:
- Use an Android device. The Android system is more resistant to DHCP option 121, which makes the hack possible.
- Connect your laptop to the 4G hotspot of your smartphone. This may cost extra data, but ensures that you don’t have to use the potentially vulnerable Wi-Fi of your local café.
- Install your VPN on a virtual machine. As long as you don’t put it in “bridged mode”, you will be protected against the attack.
For more information about VPNs and how they work, read our articles “How to Browse the Internet Anonymously” and “What is a VPN“.
