There's a good chance your VPN is vulnerable to privacy-menacing TunnelCrack attack

Re: Network routing working as intended

It doesn't have to be that narrowly targeted if an attacker with a public access point either collects a lot of known VPN addresses and spoofs them all or even tries it for every client. In the latter case, a lot of clients will receive something weird with their first request that isn't really trying to establish a VPN connection, but most of those first requests will be an OS service or a connectivity check, so they won't see it. That said, it's still a relatively complex attack that is difficult to do automatically, so it's unlikely to be seen very often on even those malicious access points that I occasionally find.

Re: Network routing working as intended

Not that targeted. Looking at the handshake traffic, knocking on the open port at the far side on the vpn server, all it would take is an evil access point and some scripting to turn this into a to-whom-it-may-concern attack, especially as DNS is still the Achilles heel of the internet.

That said, many people won't be any more than annoyed by this, if they notice it at all, but the other thing to keep in mind that many of these settings aren't user set.

So yeah, that's why it got a CVE, plenty of VPN deployments insecurely implemented a secure tunnel, undermining their work. The hassles Apple piles on for networking and routing on OSX and IOS undermine their otherwise robust VPN infrastructure.

Misconfigured networking is still one of many security errors, and DNS and spoofing attacks are real and have been left open for decades. So these ARE real problems.

This year at DEFCON will probably be fun, like the year firesheep dropped.

Re: Network routing working as intended

Yeah the fact you need to know the IP address of their VPN makes this really only suitable for a targeted attack - someone specifically wants to attack YOU because you have some data they want.

Is that how it works? I thought it was the IP address of a site you wished to spoof that you needed?

EG, I want to intercept Facebook logins, I first get the IP address of facebook.com, (eg 12.34.56.78) then setup a spoof wireless network that issues an IP address to anything that connects in the range 12.34.56.1 to 12.34.56.70 (say), with a /24 netmask.

I also then have my fakebook.com site on 12.34.56.78, which is now on the local network. Many VPNs by default don't route LAN traffic, and your fake facebook site is now on the local LAN as far as the VPN is concerned.... The user of the VPN however is probably being a little less cautious... as they're on a VPN.... so safe from this kind of thing.

(Replace facebook with a bank or government portal of your choice depending on your intent. ;) )

Now, in reality, modern browsers are strict enough about HTTPS that this probably won't work as well, but you can still probably get a few people.

Re: Network routing working as intended

If I use a VPN, and someone can observe my network traffic, then they can easily identify that all my traffic gets sent to the VPN, and all my traffic is received from the VPN. So the fact that everything uses the same IP address, and everything is encrypted, gives the VPN's IP address away.

Re: Looks like I'm safe!

Open WiFi would be more attractive if you didn't have to manually click the "Whatever, I agree, now let me have some internet" button every time your device auto connects...

Re: TunnelCrack

You know that underpass where all the addicts hang out? Bright florescent tubes, every 4th or 5th one broken, trash everywhere, dirty as hell because it never rains down there. Decades ago the walls were bare concrete slabs but are now that horrible quickly applied white paint they use to cover up graffiti, with 5 years of layered new graffiti over the top of that white paint. And the graffiti isn't the nice artist multi-coloured kind. If you clear away a few beer cans and look down on the ground at the bottom of these walls in the right place you can get just about scrape up some tiny dirty beige crystals. That's TunnelCrack.