Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. But new research suggests this is a dangerous assumption when connecting to a VPN via an untrusted network, because attackers on the same network could force a target’s traffic off of the protection provided by their VPN without triggering any alerts to the user.
You must log in or register to comment.
Use a killswitch then… no vpn, no internet
In our testing, the VPN always continued to report as connected, and the kill switch was never engaged to drop our VPN connection.
This is the only place they mention kill switch. I feel like it needs a slight clarification on whether it was enabled and didn’t work, or if was just disabled and therefore not “engaged”.
I couldn’t quickly find an answer to this, but would setting the “UseRoutes” option in systemd-networkd to false prevent the dhcp client from using the option 121 routes?
If so, would this be a possible mitigation for linux devices using systemd?
See also
UseGateway.
MITIGATIONS
According to Leviathan, there are several ways to minimize the threat from rogue DHCP servers on an unsecured network. One is using a device powered by the Android operating system, which apparently ignores DHCP option 121.
Relying on a temporary wireless hotspot controlled by a cellular device you own also effectively blocks this attack.
“They create a password-locked LAN with automatic network address translation,” the researchers wrote of cellular hot-spots. “Because this network is completely controlled by the cellular device and requires a password, an attacker should not have local network access.”
Leviathan’s Moratti said another mitigation is to run your VPN from inside of a virtual machine (VM) — like Parallels, VMware or VirtualBox. VPNs run inside of a VM are not vulnerable to this attack, Moratti said, provided they are not run in “bridged mode,” which causes the VM to replicate another node on the network.
Now when I’m lazy and don’t support some standards in my open source projects, I’m just going to say its for security.
