Virtual private network (VPN) connections designed to keep data safe from snooping eyes may be vulnerable to two forms of network attacks by malicious parties with access to a local network, a research paper (PDF) explained on June 30. The founders of Cloak, a VPN service with native iOS and OS X apps, say that the more severe of the two vulnerabilities also exists in iOS's most deeply integrated VPN protocol, and can't be mitigated without Apple's involvement.
A VPN creates an encrypted "tunnel" between two endpoints, one on a computer or mobile device and another on a server in a data center (for public VPNs, like Cloak, TunnelBear, and many others) or on a company's network. This tunnel is designed to prevent sniffing of a connection at a public place and over broadband networks.
The research paper points to two key weaknesses they were able to exploit in several popular VPN services' apps, some of which are also available for other platforms, using three common protocols: PPTP, L2TP, and OpenVPN. While iOS and OS X also support PPTP and L2TP for establishing and encrypting a connection, Cloak's Dave Peck and Peter Sagerson, two of its three founders, built a proof of concept that shows an additional protocol, IPsec, is susceptible to one of the exploits.
Peck says that because of how Apple has built IPsec into iOS, any VPN client using that protocol--including Cloak--could be fooled. The company filed a report in Apple's bug-tracking system yesterday (mirrored here), and posted a security notice today on its site. Macworld asked Apple for a comment, and will update this story if one becomes available.
While the severity is high, the risk of wide-scale exploitation is low. Let's get into the details.
How the hijacking works
The five authors of "A Glance through the VPN Looking Glass" found two unique problems in examining commercially available VPN client software. The first relates to IPv6 networking, which doesn't seem to affect iOS and can be worked around in OS X. The second involves DNS (domain name system) hijacking. In both cases, the integrity of the secure tunnel isn't affected. Rather, it's the ability to intercept a subset of traffic that's at stake, allowing a malicious party to act as a man-in-the-middle.
DNS hijacking potentially affects any connection made through the VPN. In the exploit described in the paper, a ne'er-do-well has to hijack local network address assignment using DHCP (Dynamic Host Configuration Protocol). On public networks, a device first connects to the network, and then a DHCP server in the network's router assigns it a local address, and provides a network range for the local network and DNS server details.
Sign up for Computerworld eNewsletters.