Almost all VPNs are vulnerable to traffic-leaking TunnelCrack attacks

2023-08-14 13:38

"Our attacks are not computationally expensive, meaning anyone with the appropriate network access can perform them, and they are independent of the VPN protocol being used," claim Nian Xue of New York University; Yashaswi Malla, Zihang Xia, and Christina Pöpper of New York University Abu Dhabi; and Mathy Vanhoef of KU Leuven University.

"Even if the victim is using another layer of encryption such as HTTPS, our attacks reveal which websites a user is visiting, which can be a significant privacy risk."

"Both attacks manipulate the victim's routing table to trick the victim into sending traffic outside the protected VPN tunnel, allowing an adversary to read and intercept transmitted traffic," the researchers say.

After testing many consumer and enterprise-grade VPN solutions, they found that most VPNs for Apple devices and Windows and Linux devices are vulnerable to one or both attacks.

Mullvad says only its iOS app is vulnerable to the LocalNet attack.

"If updates for your VPN are not available, you can mitigate the LocalNet attack by disabling local network access. You can also mitigate attacks by assuring websites use HTTPS, which many websites nowadays support," the researchers advised.

News URL

https://www.helpnetsecurity.com/2023/08/14/vpn-vulnerabilities-tunnelcrack-attacks/

#attack #VPN

News URL

Related news