A Belgian cybersecurity expert known for uncovering vulnerabilities like the KRACK attack on WPA and WPA2 has developed a new method that exposes a concerning threat to VPN users. Named TunnelCrack, this method allows sensitive VPN traffic to escape the confines of the protective tunnel, posing a severe risk. Vulnerabilities in VPN solutions primarily affect iOS and macOS VPNs, with Windows also being susceptible. Interestingly, Android VPN apps are relatively safer, but around a quarter of them are still vulnerable to TunnelCrack.
TunnelCrack exploits two principal vulnerabilities: the LocalNet and ServerIP attacks. These vulnerabilities come into play when a VPN user connects to an unsecured Wi-Fi network. However, malicious internet providers can also exploit the server IP attack. By manipulating the routing table of the target, these attacks divert the victim’s traffic away from the secure VPN tunnel, allowing attackers to intercept and analyze the exposed data.
In the ServerIP attack scenario, the absence of encryption for VPN traffic to the VPN server’s IP address is a weak link. This lack of encryption is intentional, preventing the need for data packet re-encryption. Exploiting this, an attacker can falsify a DNS reply for the VPN server, tricking the victim into adding a routing rule featuring a fake IP address. This reroutes the victim’s traffic outside the tunnel, bypassing its protection.
To counter the LocalNet attack, users can disable local network traffic. However, not all VPN clients offer this option. While this strategy enhances security, it might render legitimate local network activities, such as printing or streaming, inaccessible when the VPN is active. Mitigating the ServerIP attack requires a different approach: policy-based routing, which considers factors beyond the destination IP address for routing decisions.
Efforts have been made to address these vulnerabilities proactively. VPN providers were alerted in advance, giving them time to develop and release updates. Leading the way are Mozilla VPN, Surfshark, Malwarebytes, Windscribe, and Cloudflare’s WARP, all of which have released patches to address these vulnerabilities. For users of VPN apps without patches, it’s recommended to disable local network access and, when possible, opt for websites offered through the secure HTTPS protocol. Cisco has issued an advisory acknowledging the vulnerabilities in various VPN products and their susceptibility to these exploits.
