On May 6th 2024, researchers from Leviathan Security publicly announced a newly identified VPN vulnerability in which a malicious actor with local network access can trick devices on that network into sending specific traffic outside of the VPN tunnel.

This vulnerability has been named TunnelVision, and bears a resemblance to TunnelCrack, a similar vulnerability identified late last year.

So what exactly is TunnelVision?

TunnelVision is a network technique that allows a malicious actor to force a user's traffic (when using a VPN) outside of the VPN tunnel.

This is done through manipulating settings for the networks DHCP server (used for IP address allocation). A malicious actor can use DHCP option 121 to assign static routes at a higher priority on the network than that of the VPN. This results in the device sending traffic intended for the VPN tunnel to a gateway controlled by the attacker outside of the VPN.

Essentially, if you are on a compromised network, the browsing data/requests meant for your VPN are at risk of being intercepted by an unintended third party. This is also known as a Meddler-in-the-Middle (MITM) attack.

The impact to VPNs globally

While there are ways to mitigate the impact of TunnelVision, it's important to first understand how this affects VPN users in a more general sense.

What you need to know:

  1. Your home and cellular networks are unlikely to be impacted.
  2. The risk for TunnelVision lies primarily with public networks or networks outside of your control.
    1. An organization running their own infrastructure could maliciously configure this setting on the network they maintain.
    2. An attacker could spoof or hack a public network that if connected to, could be configured in a way to bypass VPN protections.

While it's unlikely that your home or cellular network would be compromised in this manner, untrusted and public Wi-Fi connections are at risk and should always be connected to with caution.

How is TunnelBear affected?

As soon as we became aware of this vulnerability, our team immediately began investigating if (and how) the TunnelBear apps would be impacted.

What we found:

Windows🟩 SafeFirewall rules prevent outbound traffic from being sent outside of the VPN tunnel.
macOS🟥 VulnerableMitigation is possible with firewall rules, however is currently not supported in TunnelBear.
iOS🟥 VulnerableIt is not possible to mitigate with firewall rules at this time.
Android🟩 SafeAndroid does not support the DHCP configuration that results in this vulnerability and is unaffected.
Extension🟩 SafeHTTP proxies protect browser traffic before it reaches the OS routing table and is unaffected.

Unfortunately, both macOS and iOS are vulnerable to TunnelVision. While we can potentially mitigate the impact on macOS with it's own set of firewall rules, iOS has no solution in place at this time.

That said, you can enable VigilantBear for iOS. VigilantBear blocks all traffic when TunnelBear enters a connecting/disconnecting state and makes use of a system flag on iOS called "includeAllNetworks". This flag will block local network traffic when enabled and helps prevent the TunnelVision vulnerability.

Next steps and staying safe online

In summary, TunnelVision is a serious but unlikely vulnerability that, if deployed, could route traffic intended for your VPN tunnel to a gateway/server managed by a malicious actor instead.

In order to make sure our users remain safe, we've identified the following action items on our end:

  1. No action to take for our Windows and Android app, or the TunnelBear browser extension as they are already mitigated or not impacted.
  2. For our macOS app, we are investigating whether we can add firewall rules that can help prevent this vulnerability moving forward.
  3. There is no short-term solution for iOS. However, users do have the option to enable VigilantBear in their iOS settings to help secure their device.

In the meantime, we advise that if you are using TunnelBear on macOS or iOS, to be careful when connecting to public networks. If you are unsure, avoid connecting to the network, enable VigilantBear, or otherwise keep your browsing traffic limited to non-sensitive data.

As always, stay safe, and commence tunneling.

the TunnelBear Team