I contacted Proton VPN about the TunnelVision exploit and I got a response. I feel great about it, thank you Proton!

Hi,

Thank you for your patience.

Our engineers have conducted a thorough analysis of this threat, reconstructed it experimentally, and tested it on Proton VPN. Please note that the attack can only be carried out if the local network itself is compromised.

Regardless, we’re working on a fix for our Linux application that will provide full protection against it, and it’ll be released as soon as possible.

If there’s anything else that I can help you with in the meantime, please feel free to let me know.

Have a nice day!

  • ryannathans@aussie.zone
    link
    fedilink
    English
    arrow-up
    22
    arrow-down
    1
    ·
    edit-2
    8 months ago

    To be fair if you used it on a public network like an airport or restaurant… yeah

    • 4am@lemm.ee
      link
      fedilink
      English
      arrow-up
      21
      ·
      8 months ago

      Yeah, it’s kind of incredible the responses I see to this story that are like “bro if they got as far as planting a rogue DHCP server on your network you were already owned anyway, yawn”

      Like, you do realize people use VPNs over unsecured WiFi all the time right? That’s one of the primary use cases. You can’t guarantee every network hasn’t been compromised.

      Armchair netsec quarterbacks need to get out more.

      • gencha@lemm.ee
        link
        fedilink
        English
        arrow-up
        6
        ·
        8 months ago

        If I learned one thing from TunnelVision, it’s how blindly people are operating right now. If you open a VPN tunnel, also ensure traffic is actually routed through it, especially if you don’t control the network. Adding a tunnel on top of the insecure network also does not protect your client from other malicious clients on that network. I feel like people have seen one too many VPN snake oil salesman on social media.

      • BarbecueCowboy@kbin.social
        link
        fedilink
        arrow-up
        1
        ·
        8 months ago

        I think it’s because lot of us have been just kind of over-exposed to things like this. It’s like, yes, I’d imagine you could do a lot of interesting stuff if you’ve already compromised everything else first, thanks pen test. This one is not quite at that level, but I think we’re all just exhausted with similar ones, ya know.

      • Socsa@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        I am skeptical of this being viable on public Wi-Fi tbh. You’d need to know ahead of time which VPN servers the target will attempt to contact, some information about the target ahead of time, and you need to DHCP poison the entire network prior to the target connecting. That would effectively bring down the network for all but two hosts - the attacker and target.

        I mean at that point, you can also just repeatedly deauth the target until it connects to your spoofed network and do whatever you want, and it would be way less obvious to an outside observer.

      • runswithjedi@lemmy.worldOP
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        The exploit is possible because the local network may have a rogue DHCP server overwriting IP routes. If you’re on a mobile network, they are the local network. TunnelVision means a mobile carrier can spy on your VPN traffic now. Unless you run Android.