The exploit is possible because the local network may have a rogue DHCP server overwriting IP routes. If you’re on a mobile network, they are the local network. TunnelVision means a mobile carrier can spy on your VPN traffic now. Unless you run Android.
I think the new thing is that VPN usage is fairly mainstream now. There are lots of services that advertise themselves as having the ability to hide all traffic. It’s certainly news to me, as I hadn’t even heard of a VPN in 2003. The researchers do say that this has been possible since 2002.