User Panel
Posted: 5/7/2024 9:42:05 AM EDT
What's the cure for this: Novel attack against virtually all VPN apps neuters their entire purpose?
Researchers have devised an attack against nearly all virtual private network applications that forces them to send and receive some or all traffic outside of the encrypted tunnel designed to protect it from snooping or tampering. TunnelVision, as the researchers have named their attack, largely negates the entire purpose and selling point of VPNs, which is to encapsulate incoming and outgoing Internet traffic in an encrypted tunnel and to cloak the user's IP address. The researchers believe it affects all VPN applications when they're connected to a hostile network and that there are no ways to prevent such attacks except when the user's VPN runs on Linux or Android. They also said their attack technique may have been possible since 2002 and may already have been discovered and used in the wild since then. View Quote |
|
You said what!?!
https://www.alphacros.com/blog |
[#1]
Privacy was always an illusion.
|
|
|
[#2]
Originally Posted By ServusVeritatis: Privacy was always an illusion. View Quote This. I always thought the big highly-advertised VPNs were compromised somehow, because if they were actually secure and private, the system would be acting to block/suppress them or at least try to link them to "violent right-wing extremists" in everyone's minds. |
|
|
[#3]
Wonder why android and linux are not affected
|
|
|
[#4]
|
|
|
[Last Edit: LVMIKE]
[#5]
I'll spare you the details, but this mostly effect public networks like coffee shops wifi and similar. For this to work you need a foothold on the network the VPN user is coming from.
This isn't a vulnerability that is easily executed on a large scale. |
|
|
[#6]
So that is saying that if you have a compromised server as part of your VPN infrastructure your VPN is probably compromised?
|
|
|
[#7]
Originally Posted By Bogdan: Different operating system? View Quote View All Quotes View All Quotes Originally Posted By Bogdan: Originally Posted By wvfarrier: Wonder why android and linux are not affected Different operating system? there's likely more to this story.. like it was only tested on windows or a very specific build of windows. |
|
Will not shelter in place
|
[Last Edit: Paul]
[#8]
Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway. When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it. All of which requires administrative abilities. The same administrative abilities that allow me to set your IP address, just not see it. The same admin abilities that let me see everything on your computer before or after VPNs. If you have rouge admins setting up DHCP servers inside your house or business to make changes to the default gateway you're in trouble. The rouge admins would have to shut down your normal DHCP servers less they respond to a discovery/offer request before the fake ones. |
|
Celebrating the remains of the Second Amendment one Fine Firearm at a Time. It was better here before.
|
[#9]
I also doubt this effects a mature corporate VPN solution that limits available interfaces and routes to only allow VPN traffic out.
|
|
|
[#10]
|
|
|
[#11]
Originally Posted By Paul: Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway. When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it. All of which requires administrative abilities. The same administrative abilities that allow me to set your IP address, just not see it. The same admin abilities that let me see everything on your computer before or after VPNs. If you have rouge admins setting up DHCP servers inside your house or business to make changes to the default gateway you're in trouble. View Quote unless there's a part to this that isn't published (and I'll research it further) the fix is to either A) set a trusted manual DHCP setting or B) update the VPN app to force all DHCP through the VPN tunnel. |
|
Will not shelter in place
|
[Last Edit: C3H5N3O9]
[#12]
Originally Posted By LVMIKE: I'll spare you the details, but this mostly effect public networks like coffee shops wifi and similar. For this to work you need a foothold on the network the VPN user is coming from. This isn't a vulnerability that is easily executed on a large scale. View Quote This is my take as well. You have to either be able to control the DHCP server for the network or be able to run a rogue DHCP server on the network. The solution is: “The most effective fixes are to run the VPN inside of a virtual machine whose network adapter isn’t in bridged mode or to connect the VPN to the Internet through the Wi-Fi network of a cellular device.” |
|
|
[Last Edit: LVMIKE]
[#13]
Originally Posted By Paul: All of which requires administrative abilities. View Quote No, all it takes is being able to run a rogue DHCP server inside your network without detection. At the minimum that only requires control (and possibly not even admin level control) of a single device. It will take some luck to get the target machine to pull it's config from your evil DHCP server but maybe there is some deauth-type attack you could repeat until it occurs. It's not a nothing burger, but it's not a doomsday. If you manage your corporate The VPN solution it's worth looking into. |
|
|
[#14]
Originally Posted By LVMIKE: I also doubt this effects a mature corporate VPN solution that limits available interfaces and routes to only allow VPN traffic out. View Quote /this Traffic across the network isn't VPN'ed but rather hidden using overloaded NAT. I have hundreds of users behind each IP address. |
|
Celebrating the remains of the Second Amendment one Fine Firearm at a Time. It was better here before.
|
[#15]
Originally Posted By Paul: Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway. When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it. All of which requires administrative abilities. The same administrative abilities that allow me to set your IP address, just not see it. The same admin abilities that let me see everything on your computer before or after VPNs. If you have rouge admins setting up DHCP servers inside your house or business to make changes to the default gateway you're in trouble. The rouge admins would have to shut down your normal DHCP servers less they respond to a discovery/offer request before the fake ones. View Quote Ars has been a clickbait site for a while with some of this shit. |
|
|
[Last Edit: 4thbreak]
[#16]
It's existed since 2002 and now here we are?
|
|
|
[Last Edit: C3H5N3O9]
[#17]
Originally Posted By Network_Daddy: So that is saying that if you have a compromised server as part of your VPN infrastructure your VPN is probably compromised? View Quote Essentially, yes. However, people connect to VPNs from public wifi like airports and coffee shops, so possibly the bad actor could set up a rogue DHCP server there. |
|
|
[#18]
Originally Posted By right_rudder: Yeah.. went and read the article. unless there's a part to this that isn't published (and I'll research it further) the fix is to either A) set a trusted manual DHCP setting or B) update the VPN app to force all DHCP through the VPN tunnel. View Quote View All Quotes View All Quotes Originally Posted By right_rudder: Originally Posted By Paul: Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway. When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it. All of which requires administrative abilities. The same administrative abilities that allow me to set your IP address, just not see it. The same admin abilities that let me see everything on your computer before or after VPNs. If you have rouge admins setting up DHCP servers inside your house or business to make changes to the default gateway you're in trouble. unless there's a part to this that isn't published (and I'll research it further) the fix is to either A) set a trusted manual DHCP setting or B) update the VPN app to force all DHCP through the VPN tunnel. Stop trusting the routing table to enforce your security policy. |
|
|
[#19]
|
|
Your boos mean nothing, I've seen what makes you cheer
|
[Last Edit: Paul]
[#20]
Originally Posted By LVMIKE:No, all it takes is being able to run a rogue DHCP server inside your network without detection. At the minimum that only requires control (and possibly not even admin level control) of a single device. View Quote Without admin rights please tell me how you're going to establish the trust relationship with the directory service? We also don't let people plug things into our network. I'd get a pop-up from the ePO if it caught someone and I'd go down and take another laptop and give it to the director. Any civilian equipment connecting to the network becomes government property by policy. Not even one packet flys down a port without clearing port security. |
|
Celebrating the remains of the Second Amendment one Fine Firearm at a Time. It was better here before.
|
[#21]
Originally Posted By 2ANut: This. I always thought the big highly-advertised VPNs were compromised somehow, because if they were actually secure and private, the system would be acting to block/suppress them or at least try to link them to "violent right-wing extremists" in everyone's minds. View Quote View All Quotes View All Quotes Originally Posted By 2ANut: Originally Posted By ServusVeritatis: Privacy was always an illusion. This. I always thought the big highly-advertised VPNs were compromised somehow, because if they were actually secure and private, the system would be acting to block/suppress them or at least try to link them to "violent right-wing extremists" in everyone's minds. That's not what this is at all. VPNs still offer a measure of privacy for most. Keep in mind VPNs are banned in countries like China, that should tell you something. |
|
Your boos mean nothing, I've seen what makes you cheer
|
[#22]
Originally Posted By Paul: Without admin rights please tell me how you're going to establish the trust relationship with the directory service? We also don't let people plug things into our network. I'd get a pop-up from the ePO if it caught someone and I'd go down and take another laptop and give it to the director. Any civilian equipment connecting to the network becomes government property by policy. Not even one packet flys down a port without clearing port security. View Quote View All Quotes View All Quotes Originally Posted By Paul: Originally Posted By LVMIKE:No, all it takes is being able to run a rogue DHCP server inside your network without detection. At the minimum that only requires control (and possibly not even admin level control) of a single device. Without admin rights please tell me how you're going to establish the trust relationship with the directory service? We also don't let people plug things into our network. I'd get a pop-up from the ePO if it caught someone and I'd go down and take another laptop and give it to the director. Any civilian equipment connecting to the network becomes government property by policy. Not even one packet flys down a port without clearing port security. Pretend for a second that you’re a coffee shop owner that offers free public WiFi and has no idea what you’re doing. What then? |
|
|
[Last Edit: LVMIKE]
[#23]
Originally Posted By Paul: Without admin rights please tell me how you're going to establish the trust relationship with the directory service? We also don't let people plug things into our network. I'd get a pop-up from the ePO if it caught someone and I'd go down and take another laptop and give it to the director. Any civilian equipment connecting to the network becomes government property by policy. Not even one packet flys down a port without clearing port security. View Quote I think you're taking the 'your network' too literally-- how would I know your networks config... I'm speaking generally. Not every network is a domain, running IDS/IDR, properly configured or any combination of those factors. Hence my preface, 'undetected rogue DHCP server'. The base minimum for this to work is what I posted. |
|
|
[#24]
|
|
|
[#25]
Yes, the risk is probably very low when you're connected to a well-managed corporate network. But when your physical interface is connected to a wifi AP at the airport, hotel, coffee shop, etc., all bets are off. Pineappling is a thing. Best to use your cell phone hotspot in locations like those.
|
|
"Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves." - William Pitt
|
[#26]
After reading the article I'm sort of wondering was the intent to let me know a vulnerability exists or to make me think a VPN is useless and to not use them so all of my traffic is in the clear.
Article seems more like the former. OP reads like the latter whether it was intentional or not |
|
|
[#27]
this is dumb
|
|
subversive orchestrator
|
[#28]
|
|
Will not shelter in place
|
[#29]
Originally Posted By Paul: Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway. When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it. All of which requires administrative abilities. The same administrative abilities that allow me to set your IP address, just not see it. The same admin abilities that let me see everything on your computer before or after VPNs. If you have rouge admins setting up DHCP servers inside your house or business to make changes to the default gateway you're in trouble. The rouge admins would have to shut down your normal DHCP servers less they respond to a discovery/offer request before the fake ones. View Quote Yeah, article is factually correct, but assumes way too much. It's clickbait essentially. |
|
Reserved for something witty.
|
[#30]
Originally Posted By Paul: Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway. When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it. All of which requires administrative abilities. The same administrative abilities that allow me to set your IP address, just not see it. The same admin abilities that let me see everything on your computer before or after VPNs. If you have rouge admins setting up DHCP servers inside your house or business to make changes to the default gateway you're in trouble. The rouge admins would have to shut down your normal DHCP servers less they respond to a discovery/offer request before the fake ones. View Quote But what about my infestation of rogue admins in my Attic? |
|
“I was always willing to be reasonable until I had to be unreasonable. Sometimes reasonable men must do unreasonable things.”
|
[#31]
Originally Posted By Paul: Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway. When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it. All of which requires administrative abilities. The same administrative abilities that allow me to set your IP address, just not see it. The same admin abilities that let me see everything on your computer before or after VPNs. If you have rouge admins setting up DHCP servers inside your house or business to make changes to the default gateway you're in trouble. The rouge admins would have to shut down your normal DHCP servers less they respond to a discovery/offer request before the fake ones. View Quote That does not necessarily require administrative access to anything but the rogue DHCP server. If an attacker can get theirs on the network and can respond to clients faster than the legitimate DHCP server, it stands a good chance of intercepting. |
|
|
[#32]
|
|
|
[#33]
Ok, I had to do some digging but I found out what they're going on about.
This is not a new development, it's seemingly been known since the end of 2002. This is more of a DHCP issue then a client issue and being that I've never heard of it till now begs the question, has it ever been used in a malicious way? Not likely. |
|
Will not shelter in place
|
[#34]
Originally Posted By LVMIKE: I'll spare you the details, but this mostly effect public networks like coffee shops wifi and similar. For this to work you need a foothold on the network the VPN user is coming from. This isn't a vulnerability that is easily executed on a large scale. View Quote This, and DHCP snooping would be a further mitigation for public networks. |
|
Originally Posted By HermanSnerd:
In reality, those two hot chicks that you just met that want you to come home with them for "a good time", are merely the bait for the huge guy hiding in the closet wearing a Batman suit. |
[#35]
Originally Posted By right_rudder: Ok, I had to do some digging but I found out what they're going on about. This is not a new development, it's seemingly been known since the end of 2002. This is more of a DHCP issue then a client issue and being that I've never heard of it till now begs the question, has it ever been used in a malicious way? Not likely. View Quote And that. |
|
Originally Posted By HermanSnerd:
In reality, those two hot chicks that you just met that want you to come home with them for "a good time", are merely the bait for the huge guy hiding in the closet wearing a Batman suit. |
[#36]
Originally Posted By dmnoid77: This, and DHCP snooping would be a further mitigation for public networks. View Quote I've brought my own connection for so long I honestly don't know what public wifi from large companies like for example starbucks even looks like now-a-days. I've assumed the bigger companies took some level of responsibility for their public networks and bought (and properly configured) devices from companies like Ubiquity with these basic features in them... While a majority of small businesses are running some SOHO device with varying levels of competency in configuration... Is that the case? |
|
|
[#37]
Originally Posted By LVMIKE: I've brought my own connection for so long I honestly don't know what public wifi from large companies like for example starbucks even looks like now-a-days. I've assumed the bigger companies took some level of responsibility for their public networks and bought (and properly configured) devices from companies like Ubiquity with these basic features in them... While a majority of small businesses are running some SOHO device with varying levels of competency in configuration... Is that the case? View Quote View All Quotes View All Quotes Originally Posted By LVMIKE: Originally Posted By dmnoid77: This, and DHCP snooping would be a further mitigation for public networks. I've brought my own connection for so long I honestly don't know what public wifi from large companies like for example starbucks even looks like now-a-days. I've assumed the bigger companies took some level of responsibility for their public networks and bought (and properly configured) devices from companies like Ubiquity with these basic features in them... While a majority of small businesses are running some SOHO device with varying levels of competency in configuration... Is that the case? Most of your chains would have in-house or contracted IT support and I would expect some degree of basic security configurations to be in place. Your local mom and pops might be using something off the rack at Best Buy configured by a relative that "knows computers". Obviously, it is impossible to know for sure without doing a security audit, which nobody is going to let you do. Your best indicator is probably the presence of a landing page and required consent to acceptable use prior to being connected to the internet on a public wifi. |
|
Originally Posted By HermanSnerd:
In reality, those two hot chicks that you just met that want you to come home with them for "a good time", are merely the bait for the huge guy hiding in the closet wearing a Batman suit. |
[#38]
Originally Posted By LVMIKE: No, all it takes is being able to run a rogue DHCP server inside your network without detection. At the minimum that only requires control (and possibly not even admin level control) of a single device. It will take some luck to get the target machine to pull it's config from your evil DHCP server but maybe there is some deauth-type attack you could repeat until it occurs. It's not a nothing burger, but it's not a doomsday. If you manage your corporate The VPN solution it's worth looking into. View Quote View All Quotes View All Quotes Originally Posted By LVMIKE: Originally Posted By Paul: All of which requires administrative abilities. No, all it takes is being able to run a rogue DHCP server inside your network without detection. At the minimum that only requires control (and possibly not even admin level control) of a single device. It will take some luck to get the target machine to pull it's config from your evil DHCP server but maybe there is some deauth-type attack you could repeat until it occurs. It's not a nothing burger, but it's not a doomsday. If you manage your corporate The VPN solution it's worth looking into. You don't need to de-auth. You just exhaust the real DHCP's pool with fake leases. |
|
|
[#39]
Originally Posted By Imzadi: You don't need to de-auth. You just exhaust the real DHCP's pool with fake leases. View Quote View All Quotes View All Quotes Originally Posted By Imzadi: Originally Posted By LVMIKE: Originally Posted By Paul: All of which requires administrative abilities. No, all it takes is being able to run a rogue DHCP server inside your network without detection. At the minimum that only requires control (and possibly not even admin level control) of a single device. It will take some luck to get the target machine to pull it's config from your evil DHCP server but maybe there is some deauth-type attack you could repeat until it occurs. It's not a nothing burger, but it's not a doomsday. If you manage your corporate The VPN solution it's worth looking into. You don't need to de-auth. You just exhaust the real DHCP's pool with fake leases. We're not talking about a DOS attack. |
|
Originally Posted By HermanSnerd:
In reality, those two hot chicks that you just met that want you to come home with them for "a good time", are merely the bait for the huge guy hiding in the closet wearing a Batman suit. |
[#40]
Disable DHCP and run everything static.
|
|
|
[#41]
What's next, omg there's a hosts file that if edited *could*....
|
|
|
[#42]
Originally Posted By dmnoid77: We're not talking about a DOS attack. View Quote View All Quotes View All Quotes Originally Posted By dmnoid77: Originally Posted By Imzadi: Originally Posted By LVMIKE: Originally Posted By Paul: All of which requires administrative abilities. No, all it takes is being able to run a rogue DHCP server inside your network without detection. At the minimum that only requires control (and possibly not even admin level control) of a single device. It will take some luck to get the target machine to pull it's config from your evil DHCP server but maybe there is some deauth-type attack you could repeat until it occurs. It's not a nothing burger, but it's not a doomsday. If you manage your corporate The VPN solution it's worth looking into. You don't need to de-auth. You just exhaust the real DHCP's pool with fake leases. We're not talking about a DOS attack. I know. But the real DHCP server will stop issuing DHCP Offers when its pool is expired. At that point your rogue DHCP server will be the only one on the network issuing leases. |
|
|
[#43]
Originally Posted By dmnoid77: We're not talking about a DOS attack. View Quote View All Quotes View All Quotes Originally Posted By dmnoid77: Originally Posted By Imzadi: Originally Posted By LVMIKE: Originally Posted By Paul: All of which requires administrative abilities. No, all it takes is being able to run a rogue DHCP server inside your network without detection. At the minimum that only requires control (and possibly not even admin level control) of a single device. It will take some luck to get the target machine to pull it's config from your evil DHCP server but maybe there is some deauth-type attack you could repeat until it occurs. It's not a nothing burger, but it's not a doomsday. If you manage your corporate The VPN solution it's worth looking into. You don't need to de-auth. You just exhaust the real DHCP's pool with fake leases. We're not talking about a DOS attack. I think what he's saying is your rogue DHCP server would keep spoofing DHCP lease requests to exhaust the pool, then use those responses as it's own pool. When the real server runs out of leases I'm guessing there is a mechanism in the DHCP protocol that would allow to evil-DHCP to fulfill the requests |
|
|
[#44]
|
|
|
[#45]
|
|
|
[#46]
Originally Posted By dmnoid77: Most of your chains would have in-house or contracted IT support and I would expect some degree of basic security configurations to be in place. Your local mom and pops might be using something off the rack at Best Buy configured by a relative that "knows computers". Obviously, it is impossible to know for sure without doing a security audit, which nobody is going to let you do. Your best indicator is probably the presence of a landing page and required consent to acceptable use prior to being connected to the internet on a public wifi. View Quote View All Quotes View All Quotes Originally Posted By dmnoid77: Originally Posted By LVMIKE: Originally Posted By dmnoid77: This, and DHCP snooping would be a further mitigation for public networks. I've brought my own connection for so long I honestly don't know what public wifi from large companies like for example starbucks even looks like now-a-days. I've assumed the bigger companies took some level of responsibility for their public networks and bought (and properly configured) devices from companies like Ubiquity with these basic features in them... While a majority of small businesses are running some SOHO device with varying levels of competency in configuration... Is that the case? Most of your chains would have in-house or contracted IT support and I would expect some degree of basic security configurations to be in place. Your local mom and pops might be using something off the rack at Best Buy configured by a relative that "knows computers". Obviously, it is impossible to know for sure without doing a security audit, which nobody is going to let you do. Your best indicator is probably the presence of a landing page and required consent to acceptable use prior to being connected to the internet on a public wifi. I did work for a while NOC for a managed service provider company and we did networking for major chains like Michaels, IHOP, Sally Beauty, Dollar General, etc. We even did a lot of smaller customers with a handful of sites. Security was taken pretty seriously at all. |
|
|
[Last Edit: jeremy223]
[#47]
|
|
|
[Last Edit: JVD]
[#49]
Originally Posted By LVMIKE: Please take a pin with your coffee sir https://i.ibb.co/Xkm04LK/DHCPserver.jpg View Quote View All Quotes View All Quotes Originally Posted By LVMIKE: Originally Posted By Imzadi: Originally Posted By CZ75_9MM: Disable DHCP and run everything static. So your starbucks barista is going to have to manage an IPAM system and explain static IP addresses to grandma? Please take a pin with your coffee sir https://i.ibb.co/Xkm04LK/DHCPserver.jpg |
|
|
[#50]
Originally Posted By Scion: Yes, the risk is probably very low when you're connected to a well-managed corporate network. But when your physical interface is connected to a wifi AP at the airport, hotel, coffee shop, etc., all bets are off. Pineappling is a thing. Best to use your cell phone hotspot in locations like those. View Quote this is what i do. i have a jetpack that i use if im in a public place. i never use 'free' wifi services. and if im out of my house, i turn off my smartphone's wifi ability (and bluetooth). |
|
|
AR15.COM is the world's largest firearm community and is a gathering place for firearm enthusiasts of all types.
From hunters and military members, to competition shooters and general firearm enthusiasts, we welcome anyone who values and respects the way of the firearm.
Subscribe to our monthly Newsletter to receive firearm news, product discounts from your favorite Industry Partners, and more.
Copyright © 1996-2024 AR15.COM LLC. All Rights Reserved.
Any use of this content without express written consent is prohibited.
AR15.Com reserves the right to overwrite or replace any affiliate, commercial, or monetizable links, posted by users, with our own.