Virtual private network (VPN) companies market their services as a way to prevent anyone from snooping on your internet usage. But new research shows that this is a dangerous assumption when connecting to a VPN over an untrusted network, because an attacker on the same network could force a target’s traffic outside the protection provided by its VPN without Trigger any alerts to the user.
Image: Shutterstock.
When a device initially attempts to connect to the network, it broadcasts a message to the entire local network indicating that it is requesting an Internet address. Typically, the only system on the network that notices and responds to this request is the router responsible for managing the network the user is trying to connect to.
The machines on the network responsible for handling these requests are called Dynamic Host Configuration Protocol (DHCP) server that issues time-based IP address leases. The DHCP server is also responsible for setting a specific local address—called Internet gateway – All connected systems will serve as the network’s primary route.
A VPN works by creating a virtual network interface that acts as an encrypted tunnel for communications.But researchers are leviathan security said they discovered it was possible to abuse an obscure feature built into the DHCP standard to force other users on the local network to connect to a rogue DHCP server.
“Our technique is to run a DHCP server on the same network as the target VPN user and set our DHCP configuration to use itself as a gateway,” Leviathan researcher Lizzie Moratti and Danny Crosser wrote. “When traffic reaches our gateway, we use traffic routing rules on the DHCP server to pass the traffic to the legitimate gateway while listening.”
The feature being abused here is called DHCP Option 121, which allows the DHCP server to set more specific routes on the VPN user’s system than those used by most VPNs. Leviathan found that abusing this option could effectively allow an attacker on the local network to set routing rules with higher priority than the routes to the virtual network interface established by the target VPN.
“Push routing also means that network traffic will be sent through the same interface as the DHCP server, rather than a virtual network interface,” Leviathan researchers said. “This is an expected feature that is not explicitly stated in the RFC. [standard]. Therefore, for the route we push, it is never encrypted by the VPN’s virtual interface, but is transmitted by the network interface communicating with the DHCP server. As an attacker, we can choose which IP addresses go through the tunnel and which addresses communicate with our DHCP server through the network interface.
Leviathan discovered that they could force a VPN that was already connected on the local network to ask for a new connection at will. In this well-documented tactic, known as a DHCP starvation attack, an attacker floods a DHCP server with requests, consuming all available IP addresses that can be assigned. Once a network’s legitimate DHCP servers are fully bound, attackers can have their rogue DHCP servers respond to all pending requests.
“This technique can also be used for established VPN connections once the VPN user’s host needs to renew its lease from our DHCP server,” the researchers wrote. “We can do this by setting a shorter lease in the DHCP lease. time to artificially create this situation so that users can update their routing tables more frequently. Additionally, the VPN control channel remains intact because it already uses the physical interface for communication. In our tests, the VPN always continued to report as connected. , and the kill switch never activated to disconnect our VPN.
The researchers say their method could be used by an attacker who compromises a DHCP server or wireless access point, or by a rogue network administrator who owns the infrastructure and configures it maliciously. Alternatively, an attacker could set up an “evil twin” wireless hotspot to mimic the signal broadcast by a legitimate provider.
analyze
Bill Woodcock is the executive director of Packet Clearing House, a non-profit organization based in San Francisco. Woodcock said Option 121 has been included in the DHCP standard since 2002, meaning the attack described by Leviathan was technically possible in the past 22 years.
“They now realize that this can be used to circumvent VPNs, but there are real problems with that approach, and they’re right,” Woodcock said.
Woodcock said anyone who might be the target of a spear phishing attack should be very concerned about using a VPN on an untrusted network.
“Anyone in a position of authority, even high net worth individuals, those are legitimate targets for this attack,” he said. “If I’m trying to attack someone at a relatively secure company and I know Where they usually get coffee or a sandwich twice a week, so that’s a very effective tool in that toolbox, I’d be a little surprised if it wasn’t already being utilized in this way because again it’s not rocket science just outside the box. think for a while.
Successfully executing this attack on a network may not allow the attacker to see all of the target’s traffic or browsing activity. This is because for the vast majority of websites visited by the target, the content is encrypted (the website address starts with https://). However, an attacker would still be able to see the metadata of any traffic flowing through it, such as the source and destination addresses.
KrebsOnSecurity shared Leviathan’s research results with John Kristoff, founder of dataplane.org and a doctoral student in computer science at the university. University of Illinois at Chicago. Kristoff said that nearly all user edge network devices, including WiFi deployments, support some form of rogue DHCP server detection and mitigation, but it is unclear how widely these protections are deployed in real-world environments.
“But I think this is a key point to emphasize, an untrusted network is an untrusted network, which is why you typically use a VPN in the first place,” Kristoff said. “if [the] If the local network is hostile in nature and has no hesitation operating a rogue DHCP server, then this is a cunning technique that can be used to decrypt some traffic – if done carefully I’m sure the user may never notice.
Mitigation measures
According to Leviathan, there are several ways to minimize the threat of rogue DHCP servers on unsecured networks.One is to use Android operating system, it apparently ignores DHCP option 121.
Relying on temporary wireless hotspots controlled by cellular devices you own can also be effective in blocking this attack.
“They created a password-locked LAN with automatic network address translation,” the researchers wrote of the cellular hotspots. “Because the network is completely controlled by the cellular device and requires a password, the attacker should not have local network access.”
Leviathan’s Moratti said another mitigation is to perform a VPN from inside a virtual machine (VM), such as Parallels, VMware or VirtualBox. Moratti said VPNs running inside virtual machines are not vulnerable to this attack as long as they are not running in “bridge mode,” which causes the virtual machine to replicate to another node on the network.
In addition, a technique called “deep packet inspection” can be used to deny all traffic to and from physical interfaces other than DHCP and VPN servers. However, Leviathan said this approach opens up potential “side channel” attacks that can be used to determine the destination of traffic.
“Theoretically, this could be accomplished through traffic analysis comparing the traffic sent by the target user when the attacker route was installed compared to a baseline,” they wrote. “Furthermore, this selective denial of service is unique because it Can be used to censor specific resources that attackers do not want target users to connect to, even if they are using a VPN.”
Moratti said Leviathan’s research shows that many VPN providers currently make promises to customers that their technology cannot deliver.
“VPNs are not designed to make your local network more secure, but to make your Internet traffic more secure,” Moratti said. “When you start guaranteeing that your product can protect people from seeing your traffic, your guarantee or promise isn’t going to be fulfilled.”
A copy of the Leviathan study is provided here, along with code designed to allow others to replicate its findings in a laboratory setting.
