A two decades old vulnerability has been discovered which results in exposing encrypted VPN traffic. And every VPN product is vulnerable on at least one device. The academic researchers have called the attack TunnelCrack and have published proof of concept exploit code. They tested 67 VPN providers on windows, macOS, iOS, Linux and Android. They found that all VPN apps for iPhones, iPads, MacBooks, and macOS are extremely likely to be vulnerable. A majority of VPNs on Windows and Linux are vulnerable and Android is the most secure with roughly one-quarter of VPN apps being vulnerable. With Android, the built-in VPN was found to be more vulnerable than the VPN apps. There are two types of TunnelCrack attacks, LocalNet and ServerIP. With LocalNet attack, it leverages the two conditions when the VPN client allows traffic to be sent in clear. They are when it is being sent to a local network, and when the destination is a VPN server. The latter rule is to prevent routing loops. According to the researchers, Mozilla VPN, Surfshark, Malwarebytes, Windscribe and Cloudflare’s WARP have already been patched against this vulnerability.
https://papers.mathyvanhoef.com/usenix2023-tunnelcrack.pdf
https://github.com/vanhoefm/vpnleaks
https://www.theregister.com/2023/08/10/tunnelcrack_vpn/
This segment was created for the It’s 5:05 podcast