Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage.
When a device initially tries to connect to a network, it broadcasts a message to the entire local network stating that it is requesting an Internet address.
VPNs work by creating a virtual network interface that serves as an encrypted tunnel for communications.
“Pushing a route also means that the network traffic will be sent over the same interface as the DHCP server instead of the virtual network interface,” the Leviathan researchers said.
Therefore, for the routes we push, it is never encrypted by the VPN’s virtual interface but instead transmitted by the network interface that is talking to the DHCP server.
Once the network’s legitimate DHCP server is completely tied up, the attacker can then have their rogue DHCP server respond to all pending requests.
“This technique can also be used against an already established VPN connection once the VPN user’s host needs to renew a lease from our DHCP server,” the researchers wrote.
“VPNs weren’t designed to keep you more secure on your local network, but to keep your traffic more secure on the Internet,” Moratti said.
Companies that offer virtual private networking (VPN) services claim that they can stop people from spying on your Internet activities. However, new research indicates that this is a risky assumption when connecting to a VPN over an untrusted network, as attackers on the same network may be able to force a target’s traffic off of the VPN’s protection without notifying the user.
A device broadcasts a message to the entire local network informing it that it is requesting an Internet address when it first attempts to connect to a network. Usually, the router, which is in charge of overseeing the network the user is attempting to connect to, is the only system on the network that detects this request and responds.
A network device that responds to these queries is known as a Dynamic Host Configuration Protocol (DHCP) server. It is responsible for providing IP addresses with time-limited leases. A unique local address, referred to as an Internet gateway, is also configured by the DHCP server and is used as the main path to the Web by all related systems.
Virtual network interfaces (VPNs) are created to act as encrypted communication tunnels for users. However, Leviathan Security researchers have found a way to take advantage of a hidden feature in the DHCP standard to force other users on the network to connect to a rogue DHCP server.
Researchers Lizzie Moratti and Dani Cronce of Leviathan wrote, “Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway.”. We employ traffic forwarding rules on the DHCP server to divert traffic to a valid gateway while we intercept it when it reaches our gateway. “.
This particular abuse involves the use of DHCP option 121, a feature that gives a DHCP server the ability to configure a more specialized route on the VPN user’s system than is typical of VPNs. Through misuse of this feature, Leviathan discovered that an attacker on the local network can effectively establish routing rules with a higher priority than the routes for the virtual network interface that the target’s VPN generates.
According to the Leviathan researchers, “pushing a route also means that the network traffic will be sent over the same interface as the DHCP server instead of the virtual network interface.”. “The RFC [standard] does not explicitly state the intended functionality. As a result, the network interface communicating with the DHCP server transmits the routes we push, which are never encrypted by the VPN’s virtual interface. In order to communicate with our DHCP server, as an attacker, we can choose which IP addresses pass through the network interface and which ones pass through the tunnel. “.
Leviathan discovered that they could compel VPNs on the local network to request a new connection at will even though they already had one. Known as a DHCP starvation attack, this well-researched strategy involves an attacker flooding the DHCP server with requests until all allocated IP addresses are consumed. The attacker can then use their rogue DHCP server to handle all outstanding requests once the network’s real DHCP server is fully overwhelmed.
The researchers noted that “once the VPN user’s host needs to renew a lease from our DHCP server, this technique can also be used against an already established VPN connection.”. By giving the DHCP lease a short lease time, we can fictitiously create that situation where the user updates their routing table more frequently. Furthermore, since it already communicates via the physical interface, the VPN control channel is still operational. Throughout our testing, the VPN never disconnected and the kill switch was never used to terminate the connection. “.
According to the researchers, a rogue network administrator who controls the infrastructure and maliciously configures it, or an attacker who breaches a DHCP server or wireless access point, could both use their techniques. As an alternative, a hacker might create a “evil twin” wireless hotspot that imitates the signal sent out by an authorized supplier.
Examining.
Based in San Francisco, Packet Clearing House is a nonprofit organization where Bill Woodcock serves as executive director. According to Woodcock, Option 121 has been a part of the DHCP standard since 2002, which implies that for the previous 22 years, the attack that Leviathan detailed was theoretically feasible.
According to Woodcock, “they’re realizing now that this can be used in a really problematic way to circumvent a VPN, and they’re right.”.
By using a VPN on an untrusted network, Woodcock said, users run the risk of falling victim to spear phishing attacks.
“Those in positions of authority or even just high net worth individuals are all very reasonable targets of this attack,” the speaker declared. This is a really useful tool in my toolbox if I were attempting to launch an attack against someone at a reasonably high security company and I knew where they usually got their sandwich or coffee twice a week. Since this isn’t sophisticated science, I’d be a little surprised if it wasn’t already being used in that way. It just involves thinking a little bit beyond the box. “.
An attacker would probably not be able to view all of a target’s traffic or browsing activity if they were to successfully carry out this attack on a network. This can be attributed to the fact that most of the content on the websites the target visits is encrypted (the site address starts with https://). The metadata of any traffic passing by, including the source and destination addresses, would still be visible to an attacker.
John Kristoff, the creator of dataplane . org and a PhD candidate in computer science at the University of Illinois Chicago, was informed about Leviathan’s research by KrebsOnSecurity. It’s unclear how commonplace these safeguards are in actual settings, but Kristoff claimed that almost all user-edge network equipment—including WiFi deployments—supports some type of rogue DHCP server detection and mitigation.
But, Kristoff added, “I think it’s important to remember that an untrusted network is still an untrusted network, which is why you’re usually using the VPN in the first place.”. It is a cunning technique that could be used to de-cloak some traffic if [the] local network is naturally hostile and doesn’t hesitate to run a rogue DHCP server. If done carefully, I’m sure a user might never notice. “.
RESTRICTIONS.
Leviathan states that there are multiple strategies to reduce the risk posed by rogue DHCP servers on an unprotected network. One is utilizing an Android-powered device, which doesn’t seem to care about DHCP option 121.
Another efficient way to prevent this attack is to rely on a temporary wireless hotspot that is managed by a mobile device that you own.
According to the researchers, cellular hotspots “create a password-locked LAN with automatic network address translation.”. An attacker shouldn’t have access to the local network because it is entirely managed by the mobile device and password-protected. “.
Running your VPN inside of a virtual machine (VM), such as Parallels, VMware, or VirtualBox, is another mitigation strategy, according to Leviathan’s Moratti. If a VPN is not operating in “bridged mode,” which makes the VM replicate another network node, it is not susceptible to this attack, according to Moratti.
A feature known as “deep packet inspection” can also be used to block all incoming and outgoing traffic from the physical interface, with the exception of the VPN server and DHCP server. Leviathan, however, claims that this strategy creates the possibility of a “side channel” attack that could be used to ascertain the traffic’s destination.
Theoretically, this could be accomplished by comparing the volume of messages sent by a target user with the attacker’s installed routes in a traffic analysis. Furthermore, this selective denial-of-service attack is special since it can be used to block access to particular websites that an attacker wants a target user to be unable to access, even while they are connected to a VPN. “.
According to Leviathan’s research, many VPN providers are currently making unfulfilled promises to their customers, which is something that Moratti said their technology is unable to do.
According to Moratti, the purpose of VPNs is to secure your Internet traffic rather than your local network. “There’s an assurance or promise that can’t be fulfilled when you start promising that your product keeps people from seeing your traffic. “.
