A study carried out by researchers across multiple universities has identified a vulnerability that they claim affects just about every VPN on the market.
If that wasn’t worrying enough, they also believe it has been around since as far back as 1996.
What is TunnelCrack and how does it work?
The researchers who undertook this work were Nian Xue of New York University; Yashaswi Malla, Zihang Xia, and Christina Pöpper of New York University Abu Dhabi; and Mathy Vanhoef of KU Leuven University.
They have dubbed the attack that can exploit the vulnerability TunnelCrack, and they say it exploits a problem that has been there since the very first VPNs were created back in 1996.
The vulnerability in question is one which allows user traffic to be sent unencrypted if two possible scenarios were in place at the same time.
The first is when the user’s traffic is being sent to their local network, meaning enabling the VPN doesn’t disable access to the LAN, and the second is when the destination is the VPN server, a rule designed to eliminate routing loops.
When these two scenarios are in place, the researchers found that it was possible to manipulate the routing to get traffic sent outside the encrypted VPN tunnel.
To exploit this vulnerability, hackers would have to gain control of the local network, which is easy enough to do by methods such as setting up a rogue hotspot, but mostly unlikely on your home network.
They then assign their target a public IP Address and subnet, and this will force their device to send its web requests outside the VPN’s encrypted pathway.
The attacker can then access the user’s traffic and see which websites they are visiting, even if the site in question employs HTTPS encryption itself.
This sounds quite technical, but in actual fact, it really isn’t. As the researchers themselves said in their publication, “Our attacks are not computationally expensive, meaning anyone with the appropriate network access can perform them, and they are independent of the VPN protocol being used.”
“The leaked traffic can contain sensitive data if older insecure protocols are used,” they continued, “and our attack can be used as a basis to attack such older protocols.”
Which devices are most vulnerable?
If you are wondering which VPNs are affected and whether your device might be vulnerable in this way, the chances are it is. According to the researchers who identified this vulnerability, “every VPN product is vulnerable on at least one device.”
Somewhat unexpectedly, it is VPNs running on Apple devices that seem to be most likely to have the problem, while those on Windows and Linux also seem to be affected. For those using VPNs on Android, they are the least likely to be affected, although many still are.
This is not a new problem either. As the researchers have clearly stated, “The root cause of both vulnerabilities has been part of VPNs since their first creation around 1996. This means that our vulnerabilities went unnoticed, at least publicly, for more than two decades.”
Should VPN users be worried?
Now that the vulnerability has been identified, it is likely that the vast majority of VPNs will issue a patch to fix the issue in an upcoming security update.
At the time of writing, we are aware of patches from Mozilla VPN, Surfshark, Malwarebytes, Windscribe, and Cloudflare’s WARP, while Cisco has also issued an advisory note.
If you are concerned, our advice would be to approach your VPN’s customer support team for information and advice.
If there are any further updates on this issue, we will be sure to keep you fully informed.