back to article There's a good chance your VPN is vulnerable to privacy-menacing TunnelCrack attack

A couple of techniques collectively known as TunnelCrack can, in the right circumstances, be used by snoops to force victims' network traffic to go outside their encrypted VPNs, it was demonstrated this week. A team of academics – Nian Xue of New York University, Yashaswi Malla, Zihang Xia, and Christina Popper of New York …

  1. Anonymous Coward
    Anonymous Coward

    Network routing working as intended

    How is this even newsworthy?

    This is network routing working as advertised and has never been within the scope of a VPN client to resolve. It is up to the client software you use to determine whether it’s accessing server infrastructure protected by the VPN or if a MiTM is being attempted. Network administrators have known this for a very long time and it’s also why we’ve been baking proper authentication schemes, integrity protection and encryption into every protocol under the sun for the past two decades.

    Even people correctly using “anonymous VPNs” for their one useful purpose (hiding one’s own IP address for torrenting) aren’t affected by this, since they control the IP ranges they use in that scenario.

    What a nothingburger.

    1. diodesign (Written by Reg staff) Silver badge

      Not everyone is as savvy

      It's newsworthy in that it's research accepted by Usenix and vendors have responded to it. Also not everyone is savvy enough to realize the implications of 'don't route LAN connections via tunnel'.

      So, yeah, we thought it was a neat little trick and something for people to be aware of. If it was deemed WONTFIX by developers and the attack was too esoteric, we would have ignored it.

      And also, we're careful not to say it's the breaking of encryption or anything like that, and that secure connections are still secure.

      If it's not news to you, that's great. But that doesn't make it not newsworthy.


    2. DS999 Silver badge

      Re: Network routing working as intended

      Yeah the fact you need to know the IP address of their VPN makes this really only suitable for a targeted attack - someone specifically wants to attack YOU because you have some data they want.

      I can see why vendors aren't treating it with much expediency, there are a lot bigger issues out there that deserve their greater attention before they worry about this corner case.

      Calling it a "nothingburger" is going too far, but isn't something I'm going to lose any sleep over or be upset if the platforms I use don't fix it.

      1. doublelayer Silver badge

        Re: Network routing working as intended

        It doesn't have to be that narrowly targeted if an attacker with a public access point either collects a lot of known VPN addresses and spoofs them all or even tries it for every client. In the latter case, a lot of clients will receive something weird with their first request that isn't really trying to establish a VPN connection, but most of those first requests will be an OS service or a connectivity check, so they won't see it. That said, it's still a relatively complex attack that is difficult to do automatically, so it's unlikely to be seen very often on even those malicious access points that I occasionally find.

      2. Anonymous Coward
        Anonymous Coward

        Re: Network routing working as intended

        Not that targeted. Looking at the handshake traffic, knocking on the open port at the far side on the vpn server, all it would take is an evil access point and some scripting to turn this into a to-whom-it-may-concern attack, especially as DNS is still the Achilles heel of the internet.

        That said, many people won't be any more than annoyed by this, if they notice it at all, but the other thing to keep in mind that many of these settings aren't user set.

        So yeah, that's why it got a CVE, plenty of VPN deployments insecurely implemented a secure tunnel, undermining their work. The hassles Apple piles on for networking and routing on OSX and IOS undermine their otherwise robust VPN infrastructure.

        Misconfigured networking is still one of many security errors, and DNS and spoofing attacks are real and have been left open for decades. So these ARE real problems.

        This year at DEFCON will probably be fun, like the year firesheep dropped.

      3. sanmigueelbeer

        Re: Network routing working as intended

        I can see why vendors aren't treating it with much expediency

        Because of two (absent) words: "actively exploited".

        So many examples have demonstrated, time and time again, that vendors or code writers priorities changes when the bug or exploit is actively/aggressively being engaged.

        1. DS999 Silver badge

          Re: Network routing working as intended

          So many examples have demonstrated, time and time again, that vendors or code writers priorities changes when the bug or exploit is actively/aggressively being engaged

          As it should be. There are so many bugs, and only so much engineering bandwidth to fix them. I'd rather they prioritize the ones being exploited over the theoretical and frankly not very worrying at all ones like this. Especially if they are being exploited by repressive governments seeking to find and silence journalists, activists, etc. or have the potential to become the first smartphone based mass attack that affects millions.

      4. FIA Silver badge

        Re: Network routing working as intended

        Yeah the fact you need to know the IP address of their VPN makes this really only suitable for a targeted attack - someone specifically wants to attack YOU because you have some data they want.

        Is that how it works? I thought it was the IP address of a site you wished to spoof that you needed?

        EG, I want to intercept Facebook logins, I first get the IP address of, (eg then setup a spoof wireless network that issues an IP address to anything that connects in the range to (say), with a /24 netmask.

        I also then have my site on, which is now on the local network. Many VPNs by default don't route LAN traffic, and your fake facebook site is now on the local LAN as far as the VPN is concerned.... The user of the VPN however is probably being a little less cautious... as they're on a VPN.... so safe from this kind of thing.

        (Replace facebook with a bank or government portal of your choice depending on your intent. ;) )

        Now, in reality, modern browsers are strict enough about HTTPS that this probably won't work as well, but you can still probably get a few people.

      5. gnasher729 Silver badge

        Re: Network routing working as intended

        If I use a VPN, and someone can observe my network traffic, then they can easily identify that all my traffic gets sent to the VPN, and all my traffic is received from the VPN. So the fact that everything uses the same IP address, and everything is encrypted, gives the VPN's IP address away.

    3. HereAndGone

      Re: Network routing working as intended

      Came to say the samething!

  2. chivo243 Silver badge

    Looks like I'm safe!

    creating a Wi-Fi or Ethernet network and trick the victim into connecting to it — for example, by spoofing a Starbucks cafe wireless network.

    1. doublelayer Silver badge

      Re: Looks like I'm safe!

      I wonder what statistics are available about use of public WiFi. While I don't go to places with those networks often enough and most of the time, I'm not trying to connect, I remember using them somewhat frequently a few years ago (I have a VPN) which now feels less necessary with a mobile plan with more coverage and a less limited data throttling policy. I'm sure there are places that don't have that level of mobile coverage or quality, but for the many countries with developed networks, I wonder if public WiFi has become less often used in general.

      1. chivo243 Silver badge
        Thumb Up

        Re: Looks like I'm safe!

        If needed, I use my phone as a hotspot.

      2. Mike007

        Re: Looks like I'm safe!

        Open WiFi would be more attractive if you didn't have to manually click the "Whatever, I agree, now let me have some internet" button every time your device auto connects...

        1. Cliffwilliams44 Bronze badge

          Re: Looks like I'm safe!

          But that actually identifies it as the network you intended to connect to.

          Annoying, but a necessary stop to prevent spoofing.

          1. Mike007

            Re: Looks like I'm safe!

            If you want to use open WiFi then all you care about is if it has internet access... What difference does it make what (easily faked) splash screen comes up when you initially connect?

          2. Claptrap314 Silver badge

            Re: Looks like I'm safe!

            And how, pray tell, does it do that? That page has got to be the most spoofable page on the internet.

  3. Phil O'Sophical Silver badge

    "because most VPNs allow direct access to the local network while using the VPN,"

    They may allow it as an option, but in my experience it's disabled by default, and the VPN configuration used by my employer prevented it from being enabled.

  4. Blazde


    In an age of fancy focus-group tested vulnerability branding I think we should stop to appreciate just how lazy this one is(*). Praise to the researchers for spending time testing "more than 60 VPN clients" instead of improving this.

    (*) So bad that I wouldn't wipe my tunnelcrack with it, and also so bad that I can't even make a decent bad joke out of it

    1. Mike 125

      Re: TunnelCrack

      Shame- my builder won't get his coffee this morning- he doesn't respond to tunnelcrack.

      1. Blazde

        Re: TunnelCrack

        You know that underpass where all the addicts hang out? Bright florescent tubes, every 4th or 5th one broken, trash everywhere, dirty as hell because it never rains down there. Decades ago the walls were bare concrete slabs but are now that horrible quickly applied white paint they use to cover up graffiti, with 5 years of layered new graffiti over the top of that white paint. And the graffiti isn't the nice artist multi-coloured kind. If you clear away a few beer cans and look down on the ground at the bottom of these walls in the right place you can get just about scrape up some tiny dirty beige crystals. That's TunnelCrack.

  5. sitta_europea Silver badge

    While I wouldn't go as far as some, I'd characterize this as "Your Virtual Private Network won't keep your Network traffic Private if you don't use it".

    Well, er, obviously.

    Computers and networks are complicated.

    Keeping them secure is difficult, beyond most of even the savviest of users.

    It's so far beyond the layman that it's probably doing him a service to give him no configuration options at all, and otherwise not even mention it.

    Sometimes, I think, with some of these tools, it's a bit like giving an angle grinder to a six year old. The outcome isn't really in doubt, and you're really not going to like it.

    1. Anonymous Coward
      Anonymous Coward

      A relevant link (safe for work, credit to the artist and Sir Terry for the content...)

  6. Pascal Monett Silver badge

    So this is basically an iOS issue ?

    I use NordVPN.

    I use it because some of my clients, in this post-COVID world, want me to connect remotely, but only from a list of approved locations. It's easier for me to use NordVPN and connect to where I need, than rent a flat and move countries just to do a job that requires less time to do than to transit to the approved location.

    I note that NordVPN does not seem to be at risk on a Windows platform. So I'm good.

    I also note that NordVPN does acknowledge some risk on iOS.

    Seems that iOS needs to get its ducks in a row.

    It Just Works is not supposed to apply to malware, whatever the origin.

    1. GioCiampa

      Re: So this is basically an iOS issue ?

      Could it be that the reason for '"all VPN apps" on iOS' is that they (like other apps) are all just wrappers around some Apple-supplied code or other, so the target size is (effectively) one?

      Pure speculation, admittedly...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like