Cancer on Safety – In-depth safety news and research

Virtual private networking (VPN) companies market their services to prevent anyone from spying on your internet usage. However, new research suggests that this is a dangerous assumption when connecting to a VPN over an untrusted network, as attackers on the same network could force a target’s traffic to escape the protection provided by their VPN without the User receives a warning.

The first time a device tries to connect to a network, it sends a message to the entire local network requesting an Internet address. Typically, the only system on the network that notices this request and responds is the router, which is responsible for managing the network to which the user wants to connect.

The machine on a network that is responsible for processing these requests is called a Dynamic host configuration protocol (DHCP) server that issues time-based leases for IP addresses. The DHCP server also takes care of setting a specific local address – a so-called Internet gateway – that all connection systems use as the primary route to the web.

VPNs work by creating a virtual network interface that serves as an encrypted tunnel for communication. But researchers at Leviathan Security say they have discovered that it is possible to abuse an obscure feature of the DHCP protocol, forcing other users on the local network to connect to a rogue DHCP server.

“Our technique is to run a DHCP server on the same network as a targeted VPN user and also set our DHCP configuration to use itself as a gateway,” said Leviathan researchers Lizzie Moratti And Dani Cronce wrote. “When traffic reaches our gateway, we use the traffic forwarding rules on the DHCP server to route the traffic to a legitimate gateway while we spy on it.”

The feature being abused here is known as DHCP Option 121, and it allows a DHCP server to set a route on the VPN user’s system that is more specific than that used by most VPNs. Leviathan found that abusing this option effectively gives an attacker on the local network the ability to set up routing rules that have higher priority than the routes for the virtual network interface that the target’s VPN creates.

“Pushing a route also means that network traffic is sent over the same interface as the DHCP server and not over the virtual network interface,” Leviathan researchers said. “This is intended functionality that is not clearly stated in the RFC (standard). Therefore, the routes we push are never encrypted over the VPN’s virtual interface, but instead are transmitted over the network interface that communicates with the DHCP server. As an attacker, we can choose which IP addresses go over the tunnel and which go over the network interface and communicate with our DHCP server.”

Leviathan found that they could force VPNs on the local network that already had a connection to randomly request a new one. In this well-documented tactic, called a DHCP starvation attack, an attacker floods the DHCP server with requests that consume all available IP addresses that can be assigned. Once the network’s legitimate DHCP server is fully utilized, the attacker can have his rogue DHCP server respond to all outstanding requests.

“This technique can also be used for an already existing VPN connection once the VPN user’s host needs to renew a lease from our DHCP server,” the researchers write. “We can artificially create this scenario by setting a short lease time in the DHCP lease so that the user updates their routing table more frequently. In addition, the VPN control channel is still intact because it already uses the physical interface for its communication. In our testing, the VPN always continued to report a connection, and the kill switch was never activated to terminate our VPN connection.”

The researchers say their methods could be used by an attacker who compromises a DHCP server or wireless access point, or by a rogue network administrator who owns the infrastructure themselves and configures it maliciously. Alternatively, an attacker could set up an “evil twin” Wi-Fi hotspot that mimics the signal broadcast by a legitimate provider.

ANALYSIS

Bill Woodcock is executive director at Packet Clearing House, a nonprofit organization based in San Francisco. Woodcock said Option 121 has been in the DHCP standard since 2002, meaning the attack described by Leviathan has been technically possible for 22 years.

“They now realize that this can be used to bypass a VPN in a really problematic way, and they’re right,” Woodcock said.

Woodcock said anyone who could be the target of spear phishing attacks should have serious concerns about using VPNs on an untrusted network.

“Anyone who is in a position of authority, or maybe even someone who is just a high net worth individual, those are all very reasonable targets of this attack,” he said. “If I wanted to attack someone in a relatively high-security organization and knew where they normally get their coffee or their sandwich twice a week, that’s a very effective tool in that toolbox. I would be a little surprised if it wasn’t already being exploited in this way, because it’s not rocket science either. It’s just a matter of thinking a little outside the box.” Read more →