That is going to be a lot of trouble since people are unprepared.
Easy to exploit even for scriptkids.
Big thing to notice here is the generic principle, not just the “oh noes, my dirty porn habits are showing despite my VPN”. It’s also “oh no, my company IMAP emails / videoconferencing / RDP / …”.
It is not a VPN problem, it is a DHCP (and OS) security problem. But ok, easier to get attention by flagging VPN, a big victim that people have heard about and trust.
What is in play is the effects of malicious DCHP. And dhcp not being designed with security in mind. A bit like a malicious BGP message, just local you your pc instead.
A dirty DCHP can provide routing data that takes priority, diverting traffic away from the VPN or anything else you care to name (but often just to a quiet snooping MITM attacker that passes it transparently while saving data for analysis and break-in/blackmail later).
You are basically only safe if your dhcp client is not full-featured enough to just go along with that. Or you don’t use DHCP. Expect patches to roll out soon, to discard these ‘options’ and other tiresome things related to pulling off this sabotage so easily.
Other things that DHCP set up for you:
*) Your local IP address.
*) The default gateway and the subnet mask for that. I.e. where to throw internet packets and which ones are defines as subnet that do not need to go through the gateway. In realation to the article, VPNs are basically just a different and encrypted gateway.
*) It usually also sets up static address for DNS (primary and secondary).
In addition it can set up a bunch of other things. But those are the important basics.
Malicious DHCP, well, if your OS trusts messages from a DHCP server, and it does,… Then this “attack” can happen. It can point you at a snooping/evil dns server, it can direct traffic to a evil gateway.
Normally people think that VPN protect them from both. Not so with this attack. With the ‘other things’ like static routing entries – these will then have traffic directed to them before and instead of your VPN. In effect, not encrypted and not routed through the VPN gateway.
You may be thinking ‘haha, but I manually set my dns to 8.8.8.8’ well it can, by setting a routing entry, retarget that to whereever it wants and your OS will obey. You could try DOH, but that is another discussion with other drawbacks, like handing a lot of your browsing history to the DOH provider.
DCHP is not secure. And the client by definition has to be rather trusting.
It is Old Hat that this is a vulnerable situation, but sometimes the old becomes the new. DCHP was designed for closed trusted connections where the DCHP server was in trusted hands (a before lot of nasty tricks were easypeasy download you don’t even need the dark web for).
It was not for the the internet of today and the wild wild world of wifi, nor for the whole public and every criminal and spook being on the internet with you. Including every ex, every ‘frenemy’, every coworker who wants your job, every conman, blackmailer, industrial spy and nutjobs with an agenda or imagined grudge.
This is going to be big for a while, coming to every wifi hotspot near you, real-soon-now. Because now that these fools have blurted out how vulnerable dhcp really is for messing with peoples VPN then countless assholes will be out to try it in cafes, airport, on the train, …. anywhere they think people will be getting on wifi with their phone/laptop.
Not that it won’t happen on wired-only, you are just less likely to have an attacker hit this there without them already having a foothold on the network. With (public) wifi that attack surface is just much larger and the worry is (or should be) that the whole hotspot is evil.
Source link
lol
