TunnelVision (CVE-2024-3661): How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak

Recently, we identified a novel network technique that bypasses VPN encapsulation. An attacker can use this technique to force a target user’s traffic off their VPN tunnel using built-in features of DHCP (Dynamic Host Configuration Protocol). The result of this is the user transmits packets that are never encrypted by a VPN, and an attacker can snoop their traffic. We are using the term decloaking to refer to this effect. Importantly, the VPN control channel is maintained so features such as kill switches are never tripped, and users continue to show as connected to a VPN in all the cases we’ve observed.

We’ve spent extensive time exploring this capability and attempting to notify as many affected parties as possible. We also know it is our responsibility as security researchers to inform the security and privacy community, as well as the general public, about this threat. We also believe this technique may have been possible as far back as 2002 and could have already been discovered and potentially used in the wild. For that reason, we believe it is critical for us to disclose publicly because notifying every VPN provider, operating system maintainer, self-hosted VPN admin, and VPN user is far beyond the capacity of our small research team.

We've seen one mitigation for this technique, as well as identified a fix that exists on Linux-based operating systems. However, the mitigation offers a side channel that could be used for targeted denial-of-service censorship, as well as to de-anonymize the destination of traffic via traffic analysis. In some places in the world, the side-channel alone could lead to imprisonment or death for those who rely on VPNs for safety such as journalists or whistleblowers who are common targets of surveillance or spyware.

Leave a Comment