IVPN TunnelCrack vulnerability assessment

Context

TunnelCrack is the combination of two independent security vulnerabilities (LocalNet attack and ServerIP attack) that affect VPN applications. The research paper detailing these vulnerabilities was published and presented on 11 August 2023. IVPN apps were not tested by the researchers, and unlike other providers, we did not receive a vulnerability disclosure.

We have completed the assessment and investigation of the current IVPN applications on each platform we support. Below you can review the results of this process.

Assessment of IVPN apps

In summary:

• iOS IVPN app was vulnerable to LocalNet attack, as LAN traffic was going outside the VPN tunnel by default when the VPN connection was active. This was identified as a consistent issue across all VPN providers assessed during the research.
• Desktop and Android IVPN apps were potentially vulnerable to LocalNet attack, when local network traffic bypassing was enabled in the app (disabled by default).
• Android app was potentially vulnerable to ServerIP attack, in an event of backend failure when OpenVPN protocol was used.

The detailed assessment below covers the IVPN application versions in production at the time TunnelCrack details were released (Windows v3.11.15, macOS and Linux v3.11.14, iOS v.2.10.0, Android v.2.10.0). As highlighted after each section, all potential vulnerabilities were patched and released with the latest IVPN app versions released since then.

For a detailed explanation of the possible attacks please consult the dedicated website or the research paper about TunnelCrack.

LocalNet attack

The LocalNet attack enables an adversary to leak traffic outside the VPN tunnel by making a remote server appear to be on the local network.

Desktop (macOS, Linux, Windows) - Potentially vulnerable on all desktop platforms if the option Allow LAN traffic when IVPN firewall is enabled was activated. This option is disabled by default in the IVPN desktop apps.

This issue is fixed in the latest version of IVPN for Desktop apps. The IVPN Firewall now adds exceptions only for non-routable IP addresses of local interfaces.

Android - Potentially vulnerable when the option Bypass VPN for local networks was activated. This option is disabled by default in the IVPN Android app.

This issue is fixed in the latest version of IVPN for Android apps. The app disables local network access when the local network is using public IP addresses.

iOS - IVPN for iOS was vulnerable to this type of attack. When VPN connection was active, LAN traffic went outside VPN tunnel by default.

In the latest version of IVPN for iOS apps, we have added a new “Disable LAN traffic” option that offers a fix for this issue when using OpenVPN and WireGuard protocols. When enabled, the app will not allow any traffic outside VPN tunnel to the local network. This solution is implemented using ‘includeAllNetworks’ and ‘excludeLocalNetworks’ APIs. When enabled, it can cause connectivity issues, e.g. loosing connection when switching from WiFi to cellular network.

ServerIP attack

The ServerIP attack detailed in the research uses DNS to spoof the IP address of the VPN server before the VPN is enabled. Traffic can be eavesdropped because the traffic for a VPN server is routed outside the tunnel. A proxy on the spoofed IP address passes VPN traffic to the correct VPN server so the user is unaware of an issue.

Desktop (macOS, Linux, Windows) - IVPN desktop apps are not vulnerable to this type of attack because adversaries are unable to spoof the VPN host IP. The apps do not use DNS to access VPN hosts, while data obtained from the VPN API server is protected by a certificate pinning mechanism.

Android - IVPN for Android app was potentially vulnerable to the ServerIP attack. The app uses certificate pinning when accessing api.ivpn.net, blocking any communication with a spoofed API server, thus obtaining a spoofed server IP address is not plausible. However, in the event of a backend failure the Android app obtained an empty server IP list, and connected to the VPN server using DNS as a fallback. This issue was only applicable to connections through the OpenVPN protocol. WireGuard connections are not affected.

This issue is fixed in the latest version of IVPN for Android apps. We have removed the fallback logic to connect using DNS (hostname), and the app now only connects to an OpenVPN server using an IP address.

iOS - Our iOS application is not vulnerable to this type of attack. The app uses certificate pinning when accessing api.ivpn.net, and blocks any communication with spoofed API server, so obtaining a spoofed server IP address is not plausible. The app does not use DNS to access VPN servers, only IP addresses.

Featured posts

Related posts

Privacy & Security

Most people don't need a commercial VPN to work from home securely

Posted on April 7, 2020 by Nick Pestell

Many small businesses and their employees are concerned about the security of their data whilst working from home during the coronavirus pandemic. We see a lot of confusion surrounding this topic, even from fairly technical folk and there is unfortunately a lot of misinformation being spread by commercial VPN providers themselves.

Privacy & Security

You can't always get what you want: the eternal conflict between lawful access and privacy

Posted on April 19, 2018 by mirimir

In late March, the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) took effect. And predictably, the US Supreme Court just dismissed United States v. Microsoft Corp. In that case, Microsoft was fighting a subpoena for data stored in an Irish data center.