Virtual Private Networks: Are They Really Secure on Untrusted Networks?
Virtual Private Networks and the Security Assumption
Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. However, recent research indicates that this assumption may not hold true when connecting to a VPN via an untrusted network. Attackers on the same network can potentially bypass a user’s VPN protection without triggering any alerts. This unveils a dangerous vulnerability that VPN users need to be aware of, as it compromises the security they rely on.
The Danger of Abusing DHCP
Leviathan Security, a reputable research firm, has identified a method for attackers to exploit an obscure feature in the standard DHCP protocol. By running a rogue DHCP server on the same network, an attacker can force other users to connect to their server and redirect their traffic. The feature being abuse is known as DHCP option 121, allowing the attacker to establish routing rules that bypass the VPN’s virtual network interface.
Potential Attack Scenarios
Leviathan researchers have identified various attack scenarios where this vulnerability could be exploited. These include:
- Compromised DHCP server or wireless access point
- Rogue network administrator
- Evil twin wireless hotspot
Analysis of the Vulnerability
Bill Woodcock, executive director at Packet Clearing House, explains that DHCP option 121 has been included in the DHCP standard for over two decades, making this attack technically feasible for a long time. He emphasizes that using a VPN on an untrusted network is a practical risk, especially for high-value targets susceptible to spear phishing attacks.
John Kristoff, founder of dataplane.org and a computer science PhD candidate at the University of Illinois Chicago, highlights the criticality of an untrusted network as a significant concern when employing VPNs. While protective measures against rogue DHCP servers exist, their deployment is highly variable.
Mitigating the Threat
Leviathan offers insights into possible mitigations for this VPN security vulnerability:
- Utilize an Android device, which ignores DHCP option 121
- Create a private, password-protected LAN using a cellular device’s wireless hotspot
- Run the VPN from within a virtual machine, like Parallels, VMware, or VirtualBox
- Deploy deep packet inspection to restrict traffic to DHCP and VPN server
However, it is worth noting that the usage of deep packet inspection introduces potential side-channel attacks and censorship capabilities. Overall, this research serves as a warning that many VPN providers are making promises their technology cannot completely deliver on.
Conclusion
Understanding the limitations of VPNs is crucial to maintaining online security and privacy. While VPNs were primarily designed to secure traffic on the internet, their effectiveness on untrusted networks is questionable. As attackers find more creative ways to exploit vulnerabilities, users and VPN providers must stay vigilant and adapt their security practices accordingly.
