I would think this is more likely to arise from a malicious network admin than a misconfigured network or rogue DHCP server.
At what point does it stop being Apple/Microsoft/Linux Distro Dev/dev who fully implemented all DHCP optionsâ problem and start being the end userâs problem for using an untrusted network though? I still stand by my assessment that this should never have gotten a CVE assigned, because in any practical, real deployment you should have protection against rogue DHCP servers and VPN providers should get reamed for false advertising
There is a lot of misinformation about this whole thing unfortunately.
One the one hand, you have VPNs that claim they protect you which you see here they cannot always do. That btw to me is an actual vulnerability in the OS.
On the other hand, there are a lot of self claimed security experts that deny the wide existence of WiFi based attacks. They claim one should not have to worry being hacked when using public WiFi because of TLS (or https as they call it).
In my eyes both are wrong.
Personally, TunnelVision vulernability is kind of shocking to me (I admit me being naive and ignorant), as I always assumed PC with VPN (killswitch enabled) , firewall enabled and with only essentail software installed should be quite sufficient, turns out these âdefensesâ could be bypassed effortlessly.
I think it somehow demonstrates (again) the inherited risks of OSes like windows and Linux (not sure about Mac) that designed with compatibility / flexibility / configurability in mind.
Sure the OS vulnerabilities should be fixed, but I think the root cause is the internet standards failed to keep up with the risks? By the way, is DHCP option 121 essential at all?
Again I am just an average user so I think I could and would be wrong here.
Not an OS vulnerability, a network infrastructure misconfiguration.
Yes, itâs useful for some routing use-cases.
The risk here being, people want to be able to use untrusted networks safely. I will say, DHCP could be updated to include some sort of authentication (maybe preshared certs? or TOFU?) but it still wouldnât solve all the random âfree wifiâ shit floating around that wouldnât get updated if DHCP was upgraded in that way, the ancient networking gear would stick around.
Which, a) is so depressing, but b) keeps me in a job. So we take those I guess
Just curious, so you think it is an expected behaviour if the router is configured that way?
This is the main benefit VPNs advertise themselves to have, so I feel like it is understandable that a user would expect using a VPN would allow them to do so.
Be honest, in some countries, even cell networks are not safe as operators work with Government to crackdown civil societies and really cant be treated as âtrusted networksâ.
Same thing goes to all networks that the user has no full control over, even friendsâ home or workplace, not saying they are malicious, but the routers might not be âproperly configuredâ, sometimes even the router admin credential were remain default and might be compromised (happened to my friend once), or the ISP / router manufecturer can simply push bad updates to your router and âMISCONFIGUREâ your network.
If tunnelvision is being treated as merely a misconfiguration, then I think the most reasonable thing to do to âavoidâ âmisconfigurationsâ is to use devices where the system ignores option121.
I know it sounds dramatic but there are places on earth where people (just ordinary people but with opinions) really cant take that risk.
I wish we could just consider all DHCP options to be a gigantic vulnerability, outside of simply providing IP addresses. Why the fuck would I want anyone to be able to remotely configure any of these things on my device in any context?
https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#Options
Enterprises should use an MDM to configure this stuff on their devices, and there arenât any non-enterprise scenarios where this would be usefulâŚ
Well there are quite some useful parts.
NTP, DNS, bootfile size, tcp and arp ttl params⌠etc
NTPP is also in the list which is also a protocol used to exchange status updates and commands, important for failover systems to name something.
might be fun to share, I am retesting this kill switch feature on an intel based mac and so far no issues. Perhaps it has been silently fixed? Will report back should I find issues again.
Notably, there are no enterprises where BYOD devices are used widely, such as educational institutions. Clearly they should MDM student devices that do not belong to the organisation : D
And in many countries you can have incompetent cellular network operators who donât bother to validate BGP configurations and take down their entire network for 12 hours. So yeah I would agree that cellular networks should absolutely be trusted less if not untrusted, generally.
Yes
Eh, not quite the same. And besides, you probably should not be using a personal device for personal things at work on or your work network. If youâre in the camp of âyou canât trust your workplace ever!â then you might enjoy âDas Kapitalâ by old man Marx and the concept of âworker-owned companiesâ
Right, which is why you also said that networks where youâre not in control of the network (and I will add, where someone you trust is not in control of the network) are untrusted â no one who seriously cares about privacy and security would be using an ISP router, thatâs extremely silly because at best youâll get barely any updates and at worst, actively malicious updates.
Yes, which is dodgy marketing.
Thank you very much for the elaboration, I shall dig
(And mor importantly, read to learn more) deeper and try to find out what should be done.
That is not true as at times the better privacy option is more money up front which many of us can not afford. Having a router from the ISP tends to be very cheap monthly, but buying one with the same capabilities? It would cost me 25x the cost of one month, roughly.
Because of that many of us that are in fact serious about security and privacy are left with using what we are able to use, even if it potentially lowers privacy/security.
Plus what you said here in a few countries (EU, Canada, Usa, Etc) could happen would have blowback and has at this time to my knowledge never been done in such a way.
Please correct me if I am wrong and ISPs have updated routers they rent out on purpose for malicious actions that were ordered by a governmental office.
Iâm only familiar with the Australian context, but as far as Iâm aware there is no evidence of active malicious updates, only incompetence such as the previously mentioned BGP route fuckery.
Yeah, which is not a great state of affairs. Iâll soften my comment to âAnyone who cares about privacy and security would not be using an ISP route by choiceâ, since, as you said, itâs expensive in a lot of places to get decent networking gear.
Fingerprinting VPNs with Custom Router Firmware
Not related to TunnelVision
Useful to spell out the concept to people, though this has already been possible with enterprise firewalls for a long time, as anyone whoâs seen logs from them with nicely labelled application categories can attest lol
I have not experienced any memory like issues anymore but I have to report that the killswitch feature is completely broken. Its not doing what it says, it leaks data while not being connected and just connects anyway to the network after reboot without any blocking. Pretty much cab conclude the killswitch is dull.
A huge problem because if I remember correctly most people are concerned about whatâs going to happen when they are connected to a public wifi. And Iâm concerned about that too.
Thereâs some stuff a tablet canât do compared to a Linux PC/laptop. If you can do everything you want to do on the tablet then itâs a great choice