Private I: Hijacked DNS puts iOS virtual private networks at slight risk

Virtual private network (VPN) connections designed to keep data safe from snooping eyes may be vulnerable to two forms of network attacks by malicious parties with access to a local network, a research paper (PDF) explained on June 30. The founders of Cloak, a VPN service with native iOS and OS X apps, say that the more severe of the two vulnerabilities also exists in iOS's most deeply integrated VPN protocol, and can't be mitigated without Apple's involvement.

A VPN creates an encrypted "tunnel" between two endpoints, one on a computer or mobile device and another on a server in a data center (for public VPNs, like Cloak, TunnelBear, and many others) or on a company's network. This tunnel is designed to prevent sniffing of a connection at a public place and over broadband networks.

The research paper points to two key weaknesses they were able to exploit in several popular VPN services' apps, some of which are also available for other platforms, using three common protocols: PPTP, L2TP, and OpenVPN. While iOS and OS X also support PPTP and L2TP for establishing and encrypting a connection, Cloak's Dave Peck and Peter Sagerson, two of its three founders, built a proof of concept that shows an additional protocol, IPsec, is susceptible to one of the exploits.

Peck says that because of how Apple has built IPsec into iOS, any VPN client using that protocol--including Cloak--could be fooled. The company filed a report in Apple's bug-tracking system yesterday (mirrored here), and posted a security notice today on its site. Macworld asked Apple for a comment, and will update this story if one becomes available.

While the severity is high, the risk of wide-scale exploitation is low. Let's get into the details.

How the hijacking works

The five authors of "A Glance through the VPN Looking Glass" found two unique problems in examining commercially available VPN client software. The first relates to IPv6 networking, which doesn't seem to affect iOS and can be worked around in OS X. The second involves DNS (domain name system) hijacking. In both cases, the integrity of the secure tunnel isn't affected. Rather, it's the ability to intercept a subset of traffic that's at stake, allowing a malicious party to act as a man-in-the-middle.

DNS hijacking potentially affects any connection made through the VPN. In the exploit described in the paper, a ne'er-do-well has to hijack local network address assignment using DHCP (Dynamic Host Configuration Protocol). On public networks, a device first connects to the network, and then a DHCP server in the network's router assigns it a local address, and provides a network range for the local network and DNS server details.

In the hijack, an attacker subverts DHCP, typically by creating an "evil twin" hotspot, which is a router that has the name or names of a nearby Wi-Fi network. It's also possible to grab a list of networks that any computer or mobile has connected to in the past, and serve up one of those to capture it.

Once the association is made, the bad guys' DHCP server provides an illegitimate address range that tells the requesting device it's on the same Internet network segment as the DNS server that the VPN client relies on. In many cases, this is Google's Public DNS service, for which the primary address is (Because a VPN server typically provides its own DNS server addresses, just swapping in malicious DNS servers via DHCP doesn't work.)

By fooling the device into thinking it's on the same network segment, it allows the malicious router to provide responses to DNS requests, which would be ignored if a proper local network assignment were made. The router acts as a gateway to pass through all traffic the attackers aren't interested in, and then uses either a local or remote proxy to intercept desired web or other sessions at the other end of the VPN tunnel. That is, a user enters a website address, the false DNS server provides an alternate address, and the connection is made through the other end of the tunnel. To an intercepted user, the session looks normal, but an attacker is sitting in the middle as a relay.

Cloak's Peck and Sagerson were able to duplicate this subversion in iOS using IPsec with about two hours' work by setting up their own malicious test system. Peck says, "We found ways to manipulate the routing table to make these attacks."

The two wanted to highlight this problem because the paper's authors suggest effective mitigation for DNS hijacking with PPTP, an outdated and broken standard still in use at times, and L2TP, a more modern one. The paper says by putting a DNS server in the same network range as the VPN's gateway address, the hijacking can't work with these two standards as well as another called OpenVPN.

However, for IPsec, which Apple has put its development weight behind in iOS, there's no workaround. The proposed mitigation has a VPN service set the address of DNS servers to be in the same network range as the VPN server's gateway address. But with IPsec, there's no concept of a gateway address, Sagerson says, so the mitigation isn't possible.

Apple would need to make low-level, but not difficult changes to iOS's networking stack, the set of software that handles Internet and other communications, to require an explicit route to one or more DNS servers when the VPN client connects.

A limited set of risks

The good news about this exploit is that while it is severe in its nature, it's very to extremely limited in how it might be turned against VPN users.

First, the hijacking doesn't subvert secure web, email, or other connections. For banking, ecommerce, and an increasing number of other sites, an https (SSL/TLS) connection is the default. If an attacker tries to break in on such a connection by presenting a fake certificate, browsers and other software alerts a user that the certificate is invalid. This attack doesn't help with that at all.

If all your surfing is secure, then VPN-related DNS hijacking doesn't affect you, but then there's little reason to use a VPN, either. Peck notes, "If you're only talking to https sites, you probably don't need a VPN." (Peck jokes that his company's goal is to put themselves out of business, as they find it desirable that all routine traffic on the Internet is strongly encrypted.)

Second, it doesn't crack the reliability of the VPN tunnel. While PPTP as a standard is broken and shouldn't be used, L2TP, IPsec, and OpenVPN are reliable when configured correctly, and this new research doesn't change that.

Third, an attacker has to have proximity to where people are connecting to Wi-Fi in large numbers and using VPNs. While there are many ways to attack routers remotely and potentially insert malicious software, that's a far more severe problem, affecting every user of such subverted networks for all non-encrypted connections. This DHCP-plus-DNS hijacking technique might be yet another tool in that arsenal.

It's possible other researchers will use this work to find more easily or broadly exploitable problems in VPN setups in iOS and on other platforms. But now that the details are out, operating system and VPN client developers will be fixing holes. Some of the makers of software mentioned in the paper dispute their software is vulnerable or have made changes since hearing from the researchers or for routine reasons that they told the TorrentFreak site resolve one or both categories of exploit in the paper.

Cloak contacted me, reported to Apple, and posted a blog entry in the interests of making sure the scope of the problem was known early and being straightforward with its customers about even the slightest risk. Peck says, "From the perspective of a VPN provider, anything that effectively removes the protection of the VPN itself is crappy."

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleTunnelBearNetworkingsecurityvpnVPNssage

More about AppleGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place