A limited set of risks
The good news about this exploit is that while it is severe in its nature, it's very to extremely limited in how it might be turned against VPN users.
First, the hijacking doesn't subvert secure web, email, or other connections. For banking, ecommerce, and an increasing number of other sites, an https (SSL/TLS) connection is the default. If an attacker tries to break in on such a connection by presenting a fake certificate, browsers and other software alerts a user that the certificate is invalid. This attack doesn't help with that at all.
If all your surfing is secure, then VPN-related DNS hijacking doesn't affect you, but then there's little reason to use a VPN, either. Peck notes, "If you're only talking to https sites, you probably don't need a VPN." (Peck jokes that his company's goal is to put themselves out of business, as they find it desirable that all routine traffic on the Internet is strongly encrypted.)
Second, it doesn't crack the reliability of the VPN tunnel. While PPTP as a standard is broken and shouldn't be used, L2TP, IPsec, and OpenVPN are reliable when configured correctly, and this new research doesn't change that.
Third, an attacker has to have proximity to where people are connecting to Wi-Fi in large numbers and using VPNs. While there are many ways to attack routers remotely and potentially insert malicious software, that's a far more severe problem, affecting every user of such subverted networks for all non-encrypted connections. This DHCP-plus-DNS hijacking technique might be yet another tool in that arsenal.
It's possible other researchers will use this work to find more easily or broadly exploitable problems in VPN setups in iOS and on other platforms. But now that the details are out, operating system and VPN client developers will be fixing holes. Some of the makers of software mentioned in the paper dispute their software is vulnerable or have made changes since hearing from the researchers or for routine reasons that they told the TorrentFreak site resolve one or both categories of exploit in the paper.
Cloak contacted me, reported to Apple, and posted a blog entry in the interests of making sure the scope of the problem was known early and being straightforward with its customers about even the slightest risk. Peck says, "From the perspective of a VPN provider, anything that effectively removes the protection of the VPN itself is crappy."
Sign up for Computerworld eNewsletters.