ExpressVPN Claims Limited Risk from TunnelVision Vulnerability

Penka Hristovska
Penka Hristovska Senior Editor
Penka Hristovska Penka Hristovska Senior Editor

ExpressVPN says most of its users are safe from the recently exposed TunnelVision vulnerability, provided that they don’t turn off their kill switch features in the VPN app.

The TunnelVIsion vulnerability was unveiled in a recent report published by researchers from Leviathan Security. The group found a flaw that can force VPNs to route some or all user traffic outside the encrypted tunnel, essentially undermining the core purpose of VPNs: to secure internet traffic from interception and hide users’ IP addresses.

According to the researchers, this is possible when an attacker targets DHCP (Dynamic Host Configuration Protocol) Option 121, a feature within the DHCP that allows network administrators to specify routing information to DHCP clients.

These protocols typically direct VPN traffic to begin at a local IP address, where it enters an encrypted tunnel for secure transmission. By manipulating Option 121, the attacker can reroute this VPN traffic directly to the DHCP server instead, effectively bypassing the encryption tunnel and compromising the security of the data.

The attack is most effectively executed by someone with administrative rights over the network to which the target is connected, but even individuals with basic access to the network can initiate the attack by establishing a rogue DHCP server.

Regardless of the traffic’s path, the VPN app will still indicate that all data is securely transmitted through the protected connection.

“This technique can also be used against an already established VPN connection once the VPN user’s host needs to renew a lease from our DHCP server,” the researchers add.

ExpressVPN issued a lengthy statement in response, explaining that most of its users likely won’t  be at risk due to the particular configurations and sequences of actions required to activate the vulnerability. Plus, it says that the kill switch function can prevent this type of attack.

“Whether you use Mac or Windows our investigations found that this technique could only pose a threat if our kill switch, Network Lock, had been manually disabled by a user,” the company says. “The way we designed our kill switch ensures that our desktop users are defended against this technique and other attacks that attempt to force traffic outside of the VPN.”

For Android users, there is no risk of exposure to the TunnelVision attack exploiting DHCP Option 121 as it doesn’t support this DHCP feature. iOS devices retain a degree of vulnerability due to Apple’s limitations on the operating system architecture, which doesn’t allow for a fully effective kill switch. But even with the kill switch activated, iOS devices could potentially be exposed to attacks that exploit DHCP Option 121, ExpressVPN explains.

To protect yourself from this attack on iOS, you could switch from a Wi-Fi connection to a cellular data connection, such as 4G or 5G.

About the Author
Penka Hristovska
Penka Hristovska
Senior Editor

About the Author

Penka Hristovska is an editor at SafetyDetectives. She was an editor at several review sites that covered all things technology — including VPNs and password managers — and had previously written on various topics, from online security and gaming to computer hardware. She’s highly interested in the latest developments in the cybersecurity space and enjoys learning about new trends in the tech sector. When she’s not in “research mode,” she’s probably re-watching Lord of The Rings or playing DOTA 2 with her friends.

Leave a Comment