Menu
What's new
By:
Filters Better Search

So much for VPNs - Except when used for Android devices

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

L&LD

L&LD

Part of the Furniture
This has been out there for some time, and has been heavily exploited...

Neat trick of this particular item is the DHCP Option 121, which can override the default routes...

Here's the catch, it doesn't have to be on the LAN side, this can be upstream...
 
Android is immune because they didn't implement the DHCP standard completely. Lol
 
Viktor Jaep said:
Android is immune because they didn't implement the DHCP standard completely. Lol
Click to expand...

I was going to suggest the same thing - Android lucked out because they use a very limited set of options for their DHCP client daemon...

Would be interesting to see if this happens on ChromeBooks with Android and Linux support - those have always been interesting as FrankenBooks due to the network config juggling there...

The android subsystem and linux/crostinu usually are link-local or NAT'ed as a 10dot for IPv4 when running on Chromebooks, but IPv6 is native for some configs - oddly enough, I can run an Android native VPN client on top of ChromeOS, and have access over the VPN for native ChromeOS.
 
  • Like
Reactions: Gar
This does imply, if I understand correctly, a malicious actor already has access to either the client side LAN or the server side LAN. If that’s the case you already have problems. Trust no hotspot.
 
Last edited:
Paliv said:
This does imply, if I understand correctly.a malicious actor already has access to either the client side LAN or the server side LAN. If that’s the case you already have problems. Trust no hotspot.
Click to expand...

Actually it doesn't - if your router/AP is compromised, or upstream is as well - well, you still have a problem.

It'll be interesting to see how the VPN Service Providers respond to this...
 
sfx2000 said:
Actually it doesn't - if your router/AP is compromised, or upstream is as well - well, you still have a problem.

It'll be interesting to see how the VPN Service Providers respond to this...
Click to expand...
I see it now. The Leviathan website was jumping around every other time I scrolled on my phone. I wonder if OS vendors will do anything as it's working as intended, other than Android. I definitely improved my understanding of DHCP servers this evening.
 
Viktor Jaep said:
Android is immune because they didn't implement the DHCP standard completely. Lol
Click to expand...
Yes, and how many IoT devices don't?

www.leviathansecurity.com

CVE-2024-3661: TunnelVision - How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak — Leviathan Security Group - Penetration Testing, Security Assessment, Risk Advisory

We discovered a fundamental design problem in VPNs and we're calling it TunnelVision. This problem lets someone see what you're doing online, even if you think you're safely using a VPN.
www.leviathansecurity.com www.leviathansecurity.com
 
sfx2000 said:
Actually it doesn't - if your router/AP is compromised, or upstream is as well - well, you still have a problem.

It'll be interesting to it will be interesting to see the VPN Service Providers respond to this...
Click to expand...
it will be interesting to see if and when any VPN providers respond . I will not hold my breath
 
Before everybody gets up in arms... this scenario is only likely if a rogue DHCP server is interfering with your devices on your own LAN. According to the authors that discovered the vulnerability:

"VPNs were not designed to mitigate LAN attacks on the physical network and to promise otherwise is dangerous."

But it does make you think twice about connecting to an untrusted wifi network in order to VPN to a secure location. Better break out that mobile wifi hotspot instead!
 
Viktor Jaep said:
Who knows. Who cares. Do IoT devices need to use VPN?
Click to expand...
People using them for geolocation services on streaming devices. A lot of which run on android of some sort. That is if you consider a streaming stick an IoT device, and not just doorbells and lightbulbs.
 
Paliv said:
People using them for geolocation services on streaming devices. A lot of which run on android of some sort. That is if you consider a streaming stick an IoT device, and not just doorbells and lightbulbs.
Click to expand...
Possibly. Again... is there any built-in need for something like this to natively use VPN with a possibly not-fully-implemented DHCP standard? Because if not, then this has no bearing on the VPN issue being discussed here.
 
You must log in or register to reply here.

Similar threads

A
Certain YouTube videos will not play on Android or Apple devices when connected to my home network
Replies
0
Views
1K
ASW
A
Similar threads
Thread starter Title Forum Replies Date
L&LD Paid for VPNs, Where your security and money go to die. General Network Security 5

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 774 (members: 28, guests: 746)
Top