TunnelVision security vulnerability for all VPN apps

[TimmyBoi155]

Have IVPN team seen this? Is this being mitigated?

https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/ https://www.leviathansecurity.com/blog/tunnelvision

[stenya]

We are aware of this research, and we are investigating the findings before a full response.

[stenya]

To exploit the vulnerability in question an attacker needs to connect to the same local network as the target, and act as a DHCP server. This allows them to modify routing tables and control traffic routing. This way they may route traffic outside of the VPN tunnel, bypassing the routing rules defined by the VPN client. As this vulnerability alters the routing table, it is not a discrete attack, if you can check your routing table you can tell whether the network is compromised.

Overview of our findings regarding IVPN apps:

1. IVPN Android app is not affected.

2. IVPN iOS app is potentially affected based on our assessment, and "Block LAN traffic" option enabled in the app does not mitigate the issue. Actions you can take if you are concerned about the attack:

• Avoid connecting to public/untrusted networks
• Do not use IVPN on iOS

3. For IVPN desktop apps we have a firewall functionality that blocks all traffic going outside the VPN interface. With the default configuration, IVPN users are not affected by this vulnerability.

However, the vulnerability might affect you if:

• Firewall functionality is disabled
• Firewall is configured to allow LAN communication, or if there are custom firewall exceptions defined If you are concerned about this issue we suggest always using the built-in firewall in the desktop apps with default configuration.

[stenya]

https://www.reddit.com/r/IVPN/comments/1clwlup/tunnelvision_vulnerability/

[TimmyBoi155]

@stenya Is there any plan at all to fix this??

However, the vulnerability might affect you if:

* Firewall functionality is disabled

* Firewall is configured to allow LAN communication, or if there are custom firewall exceptions defined
  If you are concerned about this issue we suggest always using the built-in firewall in the desktop apps with default configuration.

[stenya]

Actually, the IVPN Firewall was designed to protect users from such types of attacks, and it is effectively doing its job. It is enabled by default. Users should be aware of the potential risks when they manually disable the firewall.

We are consistently seeking improvements. However, at present, there is no superior solution that would not impact user usability.