-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TunnelVision security vulnerability for all VPN apps #374
Comments
We are aware of this research, and we are investigating the findings before a full response. |
To exploit the vulnerability in question an attacker needs to connect to the same local network as the target, and act as a DHCP server. This allows them to modify routing tables and control traffic routing. This way they may route traffic outside of the VPN tunnel, bypassing the routing rules defined by the VPN client. As this vulnerability alters the routing table, it is not a discrete attack, if you can check your routing table you can tell whether the network is compromised. Overview of our findings regarding IVPN apps: 1. IVPN Android app is not affected. 2. IVPN iOS app is potentially affected based on our assessment, and "Block LAN traffic" option enabled in the app does not mitigate the issue.
3. For IVPN desktop apps we have a firewall functionality that blocks all traffic going outside the VPN interface. With the default configuration, IVPN users are not affected by this vulnerability. However, the vulnerability might affect you if:
|
@stenya Is there any plan at all to fix this??
|
Actually, the IVPN Firewall was designed to protect users from such types of attacks, and it is effectively doing its job. It is enabled by default. Users should be aware of the potential risks when they manually disable the firewall. We are consistently seeking improvements. However, at present, there is no superior solution that would not impact user usability. |
Have IVPN team seen this? Is this being mitigated?
https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/
https://www.leviathansecurity.com/blog/tunnelvision
The text was updated successfully, but these errors were encountered: