this post was submitted on 06 May 2024
497 points (98.3% liked)

Technology

59323 readers
4559 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] Postmortal_Pop@lemmy.world 39 points 6 months ago (2 children)

So I gave the article a glance and it's a bit beyond me can someone give me an eli5?

[–] Bricriu@lemmy.world 60 points 6 months ago (1 children)

My understanding is that if you run a rogue discoverable DHCP server in a local network with a particular set of options set and hyper-specific routing rules, you can clobber the routing rules set by the VPN software on any non-Android device, and route all traffic from those devices through arbitrary midpoints that you control.

But IANANE (I am not a network engineer) so please correct my misinterpretations.

[–] applepie@kbin.social 32 points 6 months ago (4 children)

this implies physical access or at least access within the network?

[–] SzethFriendOfNimi@lemmy.world 49 points 6 months ago (1 children)

Keeping in mind that may mean that somebody like a cellular provider could do so. Since your local network in that context would be them.

[–] sailingbythelee@lemmy.world 25 points 6 months ago (1 children)

Exactly. And if your ISP or cellular provider wants, or is forced, to gather information about your internet activities, they can almost certainly find a way. The cheap consumer-grade VPN services most of us use just prevent casual or automated observers from easily detecting your device's IP address. For most people that just want to torrent casually or use public wifi, it's enough.

[–] TexasDrunk@lemmy.world 5 points 6 months ago

Or to watch porn in one of the states that block porn.

[–] lemmyng@lemmy.ca 7 points 6 months ago

It has implications on the effectiveness of VPNs on public networks.

[–] transientpunk@sh.itjust.works 6 points 6 months ago

That, or the ability to spoof it

[–] Pretzilla@lemmy.world 1 points 6 months ago

Or I expect compromise of anything on the LAN that can create a rogue DNS server that can override the routing table.

But I might be missing something

[–] vvv@programming.dev 50 points 6 months ago* (last edited 6 months ago) (3 children)

(obligatory I'm not a network surgeon this is likely not perfectly correct)

The article mentions network interfaces, DHCP and gateways so real quick: a network interface usually represents a physical connection to a network, like an Ethernet port or a WiFi card. DHCP is a protocol that auto configured network routes and addresses once a physical connection is established, like when you jack in via an ethernet cable, it tells you the IP address you should go by, the range of IP address on the network you've connected to, where you can resolve domain names to IP addresses. It also tells you the address of a default gateway to route traffic to, if you're trying to reach something outside of this network.

You can have more than one set of this configuration. Your wired network might tell you that your an address is 10.0.0.34, anything that starts with 10.0.0. is local, and to talk to 10.0.0.254 if you're trying to get to anything else. If at the same time you also connect to a wireless network, that might tell you that your address is 192.168.0.69, 192.168.0.* is your local network, and 192.168.0.254 is your gateway out. Now your computer wants to talk to 4.2.2.2. Should it use the wireless interface and go via 192.168.0.254? or the wired one and use 10.0.0.254? Your os has a routing table that includes both of those routes, and based on the precedence of the entries in it, it'll pick one.

VPN software usually works by creating a network interface on your computer, similar to an interface to a WiFi card, but virtual. It then asks the OS to route all network traffic, through the new interface it created. Except of course traffic from the VPN software, because that still needs to get out to the VPN provider (let's say, at 1.3.3.7) via real Internet.

So if you're following along at home, your routing table at this point might look like this:

  • traffic to 1.3.3.7 should go to 10.0.0.254 via the wired interface
  • all traffic should go to the VPN interface
  • traffic to 10.0.0.* should go to the wired interface
  • all traffic should go to 10.0.0.254 via the wired interface
  • traffic to 192.168.0.* should go to the wireless interface
  • all traffic should go to 192.168.0.254 via the wireless interface

whenever your os wants to send network packets, it'll go down this list of rules until one applies. With that VPN turned on, most of the time, only those two first rules will ever apply.

If I'm reading the article correctly, what this attack does, is run a DHCP server, that when handing out routing rules, will send one with a flag that causes, for example, the last two rules to be placed at the top of the list instead of the bottom. Your VPN will still be on, the configuration it's requested the OS to make would still be in place, and yet all your traffic will be routed out to this insecure wireless network that's somehow set itself as the priority route over anything else.

[–] mysticalone@lemmy.world 18 points 6 months ago

Thank you network nurse

[–] Postmortal_Pop@lemmy.world 5 points 6 months ago (1 children)

That actually lays it out incredibly well for me. So in practice, what would I need to look out for as a wired desktop Ubuntu user with mullvad? It's sounding like this is going to be an issue on public networks, is this something my isp can do to me at home?

[–] xabadak@lemmings.world 2 points 6 months ago

It all depends on how much you trust the devices on your LAN. So your ISP can't do anything unless they own and control your router, since that is on your LAN. So one concern might be if you connect your PC to coffee shop wifi, since all other devices in the shop are on the same LAN, not to mention the coffee shop owns the wifi router and can also perform the attack. Another concern might be if a family member in your house has a device that got hacked, then all devices in your house are vulnerable.

[–] verity_kindle@sh.itjust.works 3 points 6 months ago

Thank you, you are a surgeon of charity