New TunnelVision Attack Explained (May 2024)

Thanks Tom for breaking this down and getting the word out.

madscientist

Great explanation, thanks Tom! I bought a gli travel router before our last family holiday but didn't take it in the end because I already had a bag full of electronics :)) but I will make room for it next time we travel..

urzaaaaa

Thanks for explaining this. Great job!

dorianphillips

It is actually a useful feature if you know how to use it. Not a bug at all nor should be categorized as a vulnerability in my opinion

mikevelasquez

Hey Tom, totally unrelated question, but what software are you using to make those drawings/diagrams? 🙂

ONAD

Could you or someone elaborate on 5:45 ? Should I not be running the VPN client on my travel router?

Emerald

If a feature is found to be a potential security issue then we need a feature to disable it.

adriftatlas

I use this on my home network to advertise routes to other subnets. Yes, I have multiple subnets at home.

Sylvan_dB

thanks for this explanation. People are saying all your traffic is drcrypted, but its just some metadata. In some cases that matters, in most it does not.

yoyoyuyu

Well, since you brought them up, I'd love to see a good in-depth setup tutorial on configuring travel routers. Most I've seen use the gl-inet hardware with their baked in firmware. It's ok, but it's several versions behind the full opensource version, which doesn't speak highly of staying on top of vulnerabilities. What they *have* done, is optimize the settings to make it much more accessible to the general user -- and the default open source version is anything but user friendly. I'd love to see a tutorial on setting up the devices with the latest open source version and talking through the various configuration options. There's literally nothing out there (that's current). It'd bridge the gap from the other channels like Chris at crosstalk that simply promotes the custom firmware and ignores the potential security issues with that stance. Just a thought.

plrpilot

Sooo, what stops an ISP from doing this?

southseapirate

Tom, I think you could have also mentioned that it's not really an issue for overlay networks that tend to poke /32 routes into your routing table.

Also, it's not difficult to remediate. Any VPN client could monitor your routing table for conflicting routes, or any end point protection system could monitor for suspicious routes in DHCP replies.

Depending on the configuration of your DHCP client, an attack like this would be easily identified in your logs.

dragonwisard

@Lawrence Systems what did you use to make the animated diagram?

xephael

Not only can DHCP do this but I'm like 99% sure ICMP itself has a way to "suggest" routes to computers via different gateways. I'm not certain if those can be made gratuitous though.

Jamesaepp

I consider this a VPN configuration problem. Why would the VPN not encapsulate that traffic?

Sylvan_dB

What I love about wireguard is that the IP configurations are statically assigned to the users. Plus wireguard can force all traffic to go through the tunnel which is what I currently have it set at.

Darkk

static IP on my pfsense WAN = I'm safe yeah?

StephenMcGregor

Did he explain the vulnerability or not? I think he didn't. Am I stupid?

complexity

This explanation, to ly understanding, seems at least incomplete.

For this vulnerability to work the DHCP server also has to become the gateway.

Know this vulnerability is extremely easy to execute on non authznticated networks like most public networks, many corporate networks and many private networks.

However. This attack does require to be present on the network as the target which does introduce a challenge.

JLT

pfSense® Software Embraces Change: A Strategic Migration to the Linux Kernel

fbifido