What Is the VPN TunnelVision Attack Vulnerability? 2024

Why you can trust us

  • 407 Cloud Software Products and Services Tested
  • 3056 Annual Software Speed Tests
  • 2400 plus Hours Usability Testing

Our team of experts thoroughly test each service, evaluating it for features, usability, security, value for money and more. Learn more about how we conduct our testing.

The publication of a report on a new potential exploit known as TunnelVision rocked the VPN world in May 2024. According to researchers, the TunnelVision attack vulnerability can be used to redirect user traffic outside an encrypted VPN tunnel, all while the user remains unaware of what’s happening.

To be clear, the report did not indicate that hackers are actively using TunnelVision, though the authors did speculate that it may have been possible as long ago as 2002. Not only is it a difficult exploit to pull off, but it’s also negated by simple security measures that the best VPNs implement as a matter of course.

In this article, we’ll explain how TunnelVision works and what it can do, and share our expert opinion of why the threat is overblown. Read on to learn how you can protect yourself.

Meet the experts

Learn more about our editorial team and our research process.

What Is the TunnelVision Vulnerability?

Leviathan Security researchers Dani Cronce and Lizzie Moratti detailed the TunnelVision vulnerability in a blog post published on May 6, 2024. The whole post is worth reading, but to summarize, TunnelVision involves manipulating a system called Dynamic Host Configuration Protocol (DHCP) to send data outside an encrypted VPN tunnel.

Online Security

Check out our online security courses and grab a limited-time offer.
Enrollment available now!

Enroll Now

DHCP is designed to assign IP addresses to devices connecting to the internet through a local network. When a device wants to get online, it sends a request to the DHCP server, which replies by offering a temporary IP address.

In theory, a rogue server on a public network could supplant the DHCP server. Using a tool called Option 121, the rogue DHCP server can redirect traffic from VPN clients through its own gateway and monitor it outside the VPN tunnel. The insidious part is that the VPN client still tells the user that everything is proceeding like normal.

When Is a VPN Susceptible to a TunnelVision Attack?

As the previous section suggests, several factors have to align for a VPN to be in danger of a TunnelVision attack. The targeted VPN user must be on a public WiFi network, not a secure network or cellular data. A hacker with the right administrative privilege can compromise the public WiFi network to tinker with the DHCP settings.

The user must also be on a VPN app without a reliable kill switch. A VPN kill switch, which comes standard with all trustworthy services, cuts off your internet connection if it notices your connection with the VPN server has broken. Since TunnelVision breaks that connection, a well-built kill switch should counter it immediately.

Furthermore, Android users are completely unaffected, since DHCP Option 121 does not exist on that operating system. In short, TunnelVision is a lot of work for a potential data thief to set up, with very little guarantee of a return on their investment.

VPN Responses to the Vulnerability

VPN providers have downplayed the risk from TunnelVision, arguing (correctly, in our opinion) that any service with a working kill switch will not be impacted. Lauren Hendry Parsons of ExpressVPN said in the company’s statement,

 “In practice, it takes quite a combination of factors, all existing simultaneously, for this issue to present any risk at all.”

Responses from the teams at Surfshark and CyberGhost followed a similar pattern. All reported that their kill switches neutralized the vulnerability, a mitigation that the Leviathan researchers directly acknowledged.

In response to our inquiries, a NordVPN spokesperson highlighted how difficult it would be for an attacker to gain any advantage from the TunnelVision exploit. In their view, if a malicious network administrator wanted to avoid triggering the kill switch to spy on a user, they could only do so by blocking IP addresses and seeing whether the user’s traffic drops.

This is a lot of work for very little payoff, to say the least. At best, after an hour of work, they might be able to prove a user had visited a certain website. All in all, we agree with Parsons’ sentiment that the research doesn’t invalidate VPNs but does emphasize “how important it is that VPNs meet a standard of excellence when it comes to privacy and security design.”

What VPN Users Can Do to Stay Safe

If you mainly use your VPN to get online from your home, office or another secure network, there’s nothing you need to do. Compromising such a network to gain administrator privileges is extremely difficult. It’s also impossible for TunnelVision to compromise a cellular data network.

The only potential risk is if you use a public WiFi network that might have a malicious administrator. In that case, all you need to do is activate your VPN’s kill switch (which may sometimes have another name, like ExpressVPN’s “network lock”).

With a kill switch engaged, the VPN should immediately detect that your traffic isn’t going through one of its servers and cut off your internet. In other words, as soon as a TunnelVision attacker redirects your VPN traffic outside the VPN tunnel, you’ll stop broadcasting altogether. There won’t be anything for the hacker to see.

Of course, not every VPN kill switch works 100% of the time. That’s why it’s so important to use a trustworthy, well-reviewed VPN provider. Our team of experts recommends ExpressVPN. Find out why in our full ExpressVPN review.

Final Thoughts

We agree with the Leviathan researchers that VPNs shouldn’t claim they can protect you on public WiFi if they’re vulnerable to exploits like TunnelVision. VPNs should be able to prove that their features work before they advertise them to consumers.

However, that doesn’t really change anything that hasn’t always been true. You should never use a VPN that can’t vouch for its kill switch, obfuscation and other security features. TunnelVision is mainly a problem for shoddy VPNs; stress-tested premium providers remain trustworthy.

If you have any other questions about the TunnelVision vulnerability, please let us know in the comments below. Thanks for reading!

FAQ: TunnelVision Attacks

  • VPN protocols use asymmetric encryption like SSL/TLS to create a secure connection between your device and VPN servers. Once this “VPN tunnel” is in place, VPNs use symmetric encryption like AES-256 to protect data packets in transit.

  • Yes! VPNs can keep you anonymous and screen your online activity, as long as they regularly update their apps to protect against newly discovered vulnerabilities like TunnelVision.

VPN protocols use asymmetric encryption like SSL/TLS to create a secure connection between your device and VPN servers. Once this u201cVPN tunnelu201d is in place, VPNs use symmetric encryption like AES-256 to protect data packets in transit.n”}},{“@type”:”Question”,”name”:”Are VPNs Really Secure?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”

Yes! VPNs can keep you anonymous and screen your online activity, as long as they regularly update their apps to protect against newly discovered vulnerabilities like TunnelVision.n”}}]}]]>

Let us know if you liked the post. That’s the only way we can improve.



Source