ExpressVPN says most of its users are safe from the recently exposed TunnelVision vulnerability, provided that they don’t turn off their kill switch features in the VPN app.
The TunnelVIsion vulnerability was unveiled in a recent report published by researchers from Leviathan Security. The group found a flaw that can force VPNs to route some or all user traffic outside the encrypted tunnel, essentially undermining the core purpose of VPNs: to secure internet traffic from interception and hide users’ IP addresses.
According to the researchers, this is possible when an attacker targets DHCP (Dynamic Host Configuration Protocol) Option 121, a feature within the DHCP that allows network administrators to specify routing information to DHCP clients.
These protocols typically direct VPN traffic to begin at a local IP address, where it enters an encrypted tunnel for secure transmission. By manipulating Option 121, the attacker can reroute this VPN traffic directly to the DHCP server instead, effectively bypassing the encryption tunnel and compromising the security of the data.
The attack is most effectively executed by someone with administrative rights over the network to which the target is connected, but even individuals with basic access to the network can initiate the attack by establishing a rogue DHCP server.
Regardless of the traffic’s path, the VPN app will still indicate that all data is securely transmitted through the protected connection.
“This technique can also be used against an already established VPN connection once the VPN user’s host needs to renew a lease from our DHCP server,” the researchers add.
ExpressVPN issued a lengthy statement in response, explaining that most of its users likely won’t be at risk due to the particular configurations and sequences of actions required to activate the vulnerability. Plus, it says that the kill switch function can prevent this type of attack.
“Whether you use Mac or Windows our investigations found that this technique could only pose a threat if our kill switch, Network Lock, had been manually disabled by a user,” the company says. “The way we designed our kill switch ensures that our desktop users are defended against this technique and other attacks that attempt to force traffic outside of the VPN.”
For Android users, there is no risk of exposure to the TunnelVision attack exploiting DHCP Option 121 as it doesn’t support this DHCP feature. iOS devices retain a degree of vulnerability due to Apple’s limitations on the operating system architecture, which doesn’t allow for a fully effective kill switch. But even with the kill switch activated, iOS devices could potentially be exposed to attacks that exploit DHCP Option 121, ExpressVPN explains.
To protect yourself from this attack on iOS, you could switch from a Wi-Fi connection to a cellular data connection, such as 4G or 5G.