You may be hearing reports of a new vulnerability called TunnelVision that can allow an attacker to bypass VPN protection under certain circumstances. We’d like to take a moment to explain the report and reassure you of the security of the ExpressVPN apps and services.
On May 6, 2024, a paper titled “TunnelVision – How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak” revealed a technique that would allow an attacker to circumvent VPN protection in some specific situations. The researchers reached out to us prior to the publication of the paper, and we’ve had time to do extensive testing on our own.
After a thorough evaluation, we can confirm that the technique described in the paper has minimal impact on ExpressVPN users, thanks to the robust design of our kill switch, Network Lock. We detail our investigation and how it relates to ExpressVPN’s apps on each platform we support below.
But before we get into the technical details, we’d like to emphasize that this issue can only occur if multiple specific conditions are met.
If you’re at home and no one has hacked your router, you’re safe. If you’re connecting by cellular network and not anyone else’s Wi-Fi, you’re safe. If the Wi-Fi network you’re joining is not controlled by a malicious actor, you’re safe. If you’re on a laptop and your kill switch is on, you’re safe. And so on. In practice it takes quite a combination of factors, all existing simultaneously, for this issue to present any risk at all.
What’s TunnelVision about?
The issue raised by the researchers arises from DHCP (Dynamic Host Configuration Protocol), a feature inherent in networking devices like routers. This protocol is used to automatically configure your device so that it can connect to the network and the internet beyond.
Part of this configuration is to tell your device exactly where it should send traffic so that it can reach the internet.
There’s a lesser-known DHCP feature, however, known as Option 121, which enables setting alternative routes for specific destinations—say, the IP addresses that host www.google.com. Any device that supports Option 121 has the potential to have these additional gateways added, diverting the traffic that otherwise would follow the default path.
When you connect with ExpressVPN, we set our own routes to tell your device that it should talk to the internet over the VPN connection. This works because our routes are more specific than the default route, and so they take precedence.
However, with Option 121, it is possible for an even more specific route to be set—one that is more specific than ours—causing traffic that should flow over the VPN to instead flow via this more specific route. It’s important to note that this “preference for the specific” is not in itself a vulnerability; it is fundamental to how networking works. It can cause undesired behavior, unless specific mitigations have been put in place to prevent it. ExpressVPN has long recognized the risk of such a problem (either because of a malicious attacker or simply from an honest misconfiguration), and that is why we ship our apps with Network Lock enabled by default.
In their TunnelVision paper, the researchers assert that it is possible to induce a leak of VPN traffic when using something called DHCP Option 121 classless static routes, and that this affects all VPN providers and VPN protocols that support such routes.
To put this simply, it means that under certain conditions (and only when you connect to a network you don’t control, like hotel or airport Wi-Fi), an attacker with control of the Wi-Fi router could designate that any traffic bound for a particular destination be diverted outside the VPN.
It takes a specific sequence of conditions to be met for anyone to be affected by this issue, and ExpressVPN’s customers are among the best protected, in part because of the strength and structure of Network Lock.
TunnelVision’s impact on ExpressVPN
The potential of this technique depends on the operating system or device being used.
Starting with our desktop users: thanks to Network Lock, the ExpressVPN kill switch on Mac, Windows, Linux, and routers, the potential for exposure is limited. Whether you use Mac or Windows our investigations found that this technique could only pose a threat if our kill switch, Network Lock, had been manually disabled by a user. As Network Lock is enabled by default, users who have never modified their settings cannot be affected.
So if you, like many ExpressVPN users, simply open your app, hit the big On button, and occasionally change locations, then you have never been exposed to this issue. The way we designed our kill switch ensures that our desktop users are defended against this technique and other attacks that attempt to force traffic outside of the VPN.
When Network Lock is on, we found that leaks do not occur. Traffic bound for the destination designated by an attacker would result in “denial of service”—it would simply be blocked, resulting in a blank webpage or error message. Traffic that was headed to any other destination (in other words, anywhere not specified for diversion by the attacker) would pass through the VPN as normal. However, if a user has manually turned Network Lock off, then the traffic would indeed be allowed to pass via the diverted route, causing a leak.
As such, we highly recommend that all ExpressVPN users enable the kill switch at all times. We’re also adding new reminders in our apps to encourage users to keep the kill switch toggled on.
On Aircove and Aircove Go routers, you cannot be vulnerable as the kill switch is always on and cannot be disabled.
Now to mobile users. On Android, you cannot have been exposed, regardless of your kill switch setting, because DHCP Option 121 is not supported on that platform at all. But on iOS, there is some degree of vulnerability, even with our kill switch activated. This is due to a longstanding limitation set by Apple itself, which effectively makes an ironclad kill switch impossible. Still, using a 4G or 5G cellular connection instead of Wi-Fi is fully effective in preventing this attack.
How we built and designed Network Lock to protect users
As we’ve explained, Network Lock is the ExpressVPN kill switch on Mac, Windows, Linux, and routers. It keeps user data safe by blocking all internet traffic until protection is restored. A similar feature is available under the Network Protection settings of our iOS and Android apps. We offer these features because a reliable kill switch is an essential feature of a VPN, key to protecting users and ensuring their privacy. That’s why we also turn our kill switch on by default and have spent a lot of time investing in its reliability since we first rolled it out in 2015.
We also made a lot of careful engineering and design decisions to implement the feature. Our Network Lock feature prevents all types of traffic including IPv4, IPv6, and DNS from leaking outside of the VPN, such as when the user’s internet connection is disrupted, when switching between Wi-Fi networks, and other various scenarios where other VPNs might leak.
Our kill switch functionality on router firmware and all desktop platforms works by applying a “block everything” firewall rule followed by a rule that permits traffic exclusively through the VPN tunnel. These kill switch rules are first engaged when the VPN connects, and they remain active during reconnect cycles and unexpected disconnects. This is exactly what the researchers are referencing in the “Industry Impact” section of their report when they state that they “have observed a mitigation from some VPN providers that drops traffic to non-VPN interfaces via firewall rules.”
This setup safeguards against the TunnelVision exploit and similar threats. It blocks any traffic trying to bypass the VPN, including any routes that TunnelVision may have introduced.
What this means for the VPN industry
Fundamentally, the TunnelVision research highlights how important it is that VPNs meet a standard of excellence when it comes to privacy and security design.
Since there isn’t a single standard industry implementation of a kill switch, the devil is in the details. It becomes more important than ever to pick a premium VPN provider that prioritizes both security and ease of use. We appreciate the efforts of the researchers in highlighting the importance of a reliable kill switch when consumers are selecting a VPN.
We also thank them for their industry-wide effort toward responsible disclosure of this issue—continued security research, delivered in a responsible manner, is an important facet of a healthy cybersecurity landscape. We want to encourage our users, industry partners and researchers to continue to push for a deeper understanding of the technologies underlying privacy and security solutions.
Protect your privacy with the best VPN
30-day money-back guarantee
Comments
Thanks for the comprehensive article. One thing I don’t see mentioned is for routers that are not Aircove or Aircove Go. I have a Linksys router with your router firmware installed do not see any Network Lock settings or anything that resembles such. Am I still protected?
Like Aircove and Aircove Go, the kill switch on the ExpressVPN router app is always on and cannot be disabled, ensuring constant protection.