In brief: Many users consider VPNs essential for maintaining digital privacy. However, researchers have discovered an exploit that can completely neutralize the technology without the target knowing, and every VPN on every operating system except Android is vulnerable. Furthermore, the only foolproof workaround is currently exclusive to Linux.
Researchers at the Leviathan Security Group have publicized an exploit that can force a VPN user to transmit unencrypted internet traffic outside of the VPN tunnel, exposing them to snooping and defeating the entire purpose of the technology. Currently, no method to fully address the problem exists on popular operating systems like Windows, macOS, or iOS. Although the researchers have found no evidence of active exploitation, it may have been possible for over two decades.
By running a DHCP server on the same network as their target, a malicious actor can route traffic meant for a VPN through a gateway and read it without encryption. The method is particularly sneaky because an affected user won’t notice anything unusual.
The VPN channel remains undisturbed, so a device will still show that it is functioning properly, and kill switches never activate. Moreover, all encryption algorithms and VPN protocols are vulnerable since the exploit circumvents the entire system. The researchers tested WireGuard, OpenVPN, and IPsec.
However, the exploit’s primary weakness is that it requires DHCP option 121. Because Android doesn’t support option 121, attacks don’t affect Android devices. Those using other operating systems can ignore 121, but the workaround risks disconnecting a device from the internet, and an attacker could deny access until option 121 is reenabled.
Using network namespaces also fixes the problem, but only Linux supports the function. The researchers suggest that Windows and Apple consider updating their operating systems to include the option.
Other mitigation methods like disabling DHCP, tightening firewall rules, or using a hotspot to access a VPN could break network connectivity or offer attackers alternate pathways for spying on victims. Users employing a VPN to maintain as much privacy as possible should exercise more caution when choosing which public hotspots to use.
In related news, every VPN on iOS possibly still leaks data that could identify an iPhone or iPad’s IP address, four years after ProtonVPN first reported the problem to Apple. As of August 2023, the issue persists. IVPN removed the kill switch on its iOS app in response, but it’s unclear if iOS 17 has resolved the problem.